In-Depth

Windows Server 2025 -- Nine Months In

• By Paul Schnackenburg
• 07/28/2025

Windows Server 2025 was released on Nov. 4, 2024, and we covered new features and enhancements before that when it was in preview here. Microsoft recently held their annual Windows Server Summit online conference, outlining updates and more -- which I'll look at in this article. Cloud services are like high-speed express trains that almost never stops at a station, whereas on-premises software (thankfully) is more like a slow train that stops at every station, giving us more time to evaluate new options and adopt as required by the business.

Windows Admin Center
The web-based UI for managing all aspects of Windows Server, Windows Server Admin Center (WAC) sure has grown up a lot in the last seven years. If you're new to the concept, you can run WAC on a single server to manage that server, or you can connect multiple virtual machines (VMs) to the same console. Furthermore, you can set up a WAC server as a gateway, to which all your Windows servers are connected, and multiple administrators can connect through it to the VMs they need to manage. WAC can also be deployed in Azure and manage your Infrastructure-as-a-Service (IaaS) VMs in Azure, and if you have Arc-connected Windows servers, they can also be managed from the Azure WAC instance, obviating the need to run your own gateway server(s). There's now an option to export and import VM connections from one WAC instance to another, facilitating server upgrades or backup/restore for disasters.

One common criticism of WAC compared to the native Hyper-V Manager tool has been performance, but recent releases of WAC now offer the same speed for showing and interacting with VMs. There are new wizards for importing VMs (in preview) and moving VMs (both Live Migration and Quick Migration). The new import wizard performs inline validation of the settings so that you don't have to go through all the pages just to get an error at the end when a setting isn't accurate.

Under the hood, since version 2410 (sometimes referred to as V2), they've shifted from .Net Framework 4.6.2 to .NET Core 8 as the underlying platform. That's an open-source and multiplatform version of .NET and so theoretically there could be a WAC version for Mac or Linux in the future, although none have been announced. This shift also means that if you have third-party WAC extensions, you'll need to test them to make sure they work with the new version, and gateway extensions will need to be updated.

Like so many other Microsoft products and services, WAC has also been targeted by Secure Future Initiative (SFI) and now all NuGet packages, DLLs and JavaScript files for extensions must be signed.

Migrating from VMware
As readers of Virtualization & Cloud Review are aware, the situation for VMware virtualization customers has been pretty dire for the last few years, the latest blow being blocked from downloading security patches unless you sign a subscription contract. I call that hostage taking, akin to criminal ransomware operators (who often target VCenter / ESXi hosts). It's hard to not see this as Broadcom milking the last cash out of its VMware acquisition before killing it off completely.

Anyway, there are alternatives, Proxmox in the open-source world (paid support subscriptions are available), Nutanix and of course Hyper-V. Sometimes I listen to pundits who proclaim that Hyper-V is dead and no longer a focus of Microsoft's, something that's patently untrue. All Azure IaaS VMs run on Hyper-V. Azure Local (formerly Azure Stack HCI) runs on Hyper-V. If you run VMs on Windows 11 or rely on several different security features that build on Hyper-V VM isolation, or if you run Windows Server containers in isolation mode, you're relying on Hyper-V. So, it's definitely a core technology for Microsoft. You can also see this in the scalability numbers. A physical server can have up to 4 PB (yes, that's 4,000 TB of memory) and 2,048 Logical Processors (cores), with each VM sporting up to 240 TB of RAM, and 2,048 vCPUs. Very, very few enterprises will spend money on hosts that big, but guess who does -- Azure! They need huge hosts for organizations hosting large workloads such as SAP.

Another sign of the importance of Hyper-V (both in Azure and on-premises) is GPU partitioning (GPU-P) and GPU Live Migration, which is now in Windows Server 2025 as well. GPU-P takes a GPU installed in the host and lets you project it into several VMs so one GPU with 16 GB of RAM might show up in four VMs, each with 4 GB of RAM, handy for VDI workloads as well as ML / AI inferencing workloads. Furthermore, you can Live Migrate a running VM with an attached GPU from one host to another, provided the destination host has spare GPU capacity.

Microsoft offers four different options for getting off VMware, two in the cloud, and two for on-premises.

You can migrate from VCenter on-premises to Azure VMware Solution (AVS) where Microsoft manages and updates the underlying VMware components in Azure, and they manage the licensing shenanigans with Broadcom. You can even set up one, three or five years reserved pricing that stays fixed. This option lets you continue to use VMware tech, without having to worry about the underlying hosts and networking.

Alternatively, you can migrate your VMs from VMware to Azure IaaS and optionally convert some IaaS workloads to Platform-as-a-Servoce (PaaS) for lower cost and less administrative overhead.

If you need to stay on-premises, Azure Local is the best option. This is Microsoft's turnkey Hyper Converged Infrastructure (HCI) platform, available in everything from two to 16 node clusters from all your favorite hardware vendors. One huge benefit of Azure Local is that Extended Security Updates (ESUs) are free, so those Windows Server 2008 R/ 2012 / 2012 R2 Servers or SQL database VMs that you can't upgrade for some reason, will continue to receive security patches, without you having to pay separately for them.

Another tick for Azure Local is that Azure Migrate -- the free service in Azure that's normally used to inventory, plan, synchronize and report on migrating VMs and databases from on-premises to Azure -- now also supports migrating to Azure Local. No data (except VM meta data) goes to the cloud, but your VMware VMs disks are replicated from their hosts to your Azure Local clusters until they're in sync and you're ready to move the workload over.

The final option is migrating to Windows Server 2025, which gives you the most flexibility in building your own clusters exactly how you want them. A new WAC feature (currently in preview) is a conversion wizard that lets you migrate a VMware VM to Hyper-V. It doesn't use agents, does online replication from one environment to the other, is free and supports both Windows and Linux VMs.

Upgrading to Windows Server 2025
Upgrading servers is a dreaded project for most IT pros. In another sign that Microsoft is serious about Windows Server, they've added some very interesting new options here to ease this pain.

First of all, the traditional "swing" option still works -- set up a new fileserver, or Domain Controller, migrate the workload from old servers to the new ones, rinse and repeat until they're all done and then retire the old ones.

Alternatively, you can perform a media upgrade -- plug in a USB drive, or a DVD, or attach an ISO file to a VM (having tested backups and checkpoints before proceeding). This used to only work for N-2, but has now been extended to N-4, so you can upgrade from Windows Server 2012R2, 2016, 2019 or 2022 directly to 2025. For Hyper-V VMs, the inbuilt drivers will be upgraded automatically. If you're on VMware, make sure the tools are the latest version before running the upgrade. If it's a physical server, you'll need to make sure that add-in cards and so on have drivers and are supported in 2025. If this process sounds scary, I point to the fact that Microsoft has been recommending and improving this option for several years now, and particularly if you're upgrading a VM a test migration is easy to do and very low risk.

A new alternative is feature upgrade (unless you've blocked it in GPO) -- go to Windows Update in Settings, and just like you can upgrade from Windows 11 23H2 to 24H2 you can upgrade a Windows Server 2019 or 2022 to 2025 (N-2). For Windows Server 2022 Core (the "command line only" version) you can also do this using SConfig.

Finally, if you have a Windows Server 2022 failover cluster, you can use Cluster-Aware Updating (CAU) to perform a rolling upgrade of the cluster nodes to 2025.

Arc Everywhere
We've mentioned Arc a few times already, if you're not familiar, this is the ability to install an agent on any Windows or Linux server outside of Azure (on-premises, co-lo, other cloud) and connect it to Azure's control plane and manage it from there. You can run databases, Kubernetes clusters, ML workloads and more, and manage them all from Azure.

If your current Windows Server licensing has Software Assurance (free upgrades for the duration of the contract), you get Windows Server management enabled by Azure Arc at no extra cost. This gives you:

I heard one interesting comment during the Summit -- Intune is the replacement for System Center Configuration Manager (SCCM) for clients, and Arc is the replacement for server management.

There are a few highlights in the list -- Change tracking and inventory -- detecting configuration drift is crucial for efficient server management, Update Manager is a complete solution for deploying updates with reporting and auditing built in. New here (in preview) is maintenance windows to match what SCCM offers. Remote Support is inherited from Azure Local (where many features are tested before making it to Windows Server) where you can provide time limited and controlled command-line access to a Microsoft support engineer to gather logs during a support case.

Coming here is also application patching, and the extension of the current Run command to execute PowerShell scripts in Azure VMs to support for Arc connected ones.

Alongside the existing licensing options, there's a new one; Windows Server Pay-as-you-go, which is useful if you need to stand up servers for a short amount of time (weeks or months, but not years) where you can activate them and pay for them on a monthly basis through an Azure subscription.

Windows Server Hotpatching
Something that'll improve sysadmins lives is the evolution of Hotpatching to Windows Server everywhere. This tech applies security patches to a running OS without requiring a restart, and was initially developed for Azure Hyper-V hosts, then offered for Windows Server 2022 Core VMs (Azure edition only), eventually also for the desktop experience version but only in Azure VMs. It was in preview for Windows Server 2025 when that was first released, but is now in General Availability and covers Azure Local VMs as well as Azure Arc-connected VMs. It works just like it does in Windows client, the first month (say January) you get a normal update baseline package, which requires restarting, followed by hotpatches in February and March which apply in seconds and don't initiate a reboot. Then in April you get a full package again, reducing 12 restarts a year to four.

Note that Hotpatching requires Virtualization Based Security (VBS) and does incur a cost for Arc connected VMs.

Networking & Storage
There are quite a few continuing improvements here, starting with the performance of NVMe storage. These are SSDs, connected directly to the PCI-Express bus in your servers, and the new stack provided a 60% improvement (random reads) between Windows Server 2022 and 2025, with a 30% reduction in CPU load at GA of Windows Server 2025. Upcoming updates bring 80% improvement (over Windows Server 2022) with a 45% reduction in CPU load; this latest round of enhancements will be GA at Ignite in November 2025.

Organizations that have an existing investment in SANs, but who are deploying Azure Local or Windows Server 2025 Storage Spaces Direct (S2D) clusters, can now mix SAN connected virtual disks with local S2D disks.

On the networking side there's a new feature called S2D campus clusters (Azure Local calls this rack aware cluster) where you can have a single two or four node cluster span separate buildings (1ms or less latency). This doesn't rely on Storage Replica, or Layer 3 switching, just dark fiber, and gives you both node and rack redundancy in a four-node configuration. You can have a whole rack, plus one host in the other rack fail, and your workloads will still be available on the remaining node.

Software Defined Networking (SDN) -- another inheritance from Azure itself -- is becoming simpler to deploy, it started with the Network Controller role itself moving from VMs to a failover cluster role. You can also deploy SDN from WAC, making it much easier overall. The Software Load Balancer (SLB) uses BGP, which works fine in large deployments where you are using BGP anyway, but in smaller environments there's now a "BGP-less" option that relies on ARP instead. SDN monitoring in WAC has also improved, with network HUD (Heads Up Display) also enhancing monitoring and troubleshooting efficiency of networking issues.

Azure IaaS provides Accelerated Networking, which is built on a technology that's been in Hyper-V for a long time, Single Root IO Virtualization (SR-IOV). Traditionally this has been challenging to configure, but deployment has been simplified in WAC.

If you want to try out SDN, there's an upcoming Sandbox deployment that sets everything up for you (two PowerShell commands) as long as you have a Windows Server 2025 host with at least 128 GB of RAM, a 300 GB+ SSD and a 1 Gb networking. It builds two hosts, plus a management host, and a simulated Top of Rack switch VM.

Security
No release of Windows Server is complete without security enhancements, and these continue apace in updates to Windows Server 2025 -- in fact there's a free eBook about them (clicking on link initiates download). Please also refer to the earlier article where I looked at the improvements in Active Directory and SMB security and so on.

Recent improvements include account lockout policy improvements, including the ability to lock out local administrators on a server. WINS was deprecated in Windows Server 2022, and Mailslots (this protocol is from the early '90s!) has been killed off in Server 2025. Windows Local Administrator Password Solution (LAPS) can be managed through WAC, offers easier to type passphrase support, lets you eliminate similar characters (number 1, small l and i) and automates account management for your windows clients.

You can migrate manually created service accounts in AD to Delegated Managed Service Accounts (DMSA) that are much more secure and removes the password rotation task.

Security baselines continue to evolve in Windows Server, starting with "silicon assisted security" that brings secure-core hardware such as a TPM 2.0 chips, firmware protection and virtualization-based security (VBS). There are three general Windows Server baselines (Workgroup, Member server and Domain Controller, 300+ settings) plus a Windows Defender Antivirus one (40+ settings), and one for Secured core (6). You can easily apply baselines with WAC or PowerShell cmdlets and drift detection and remediation is built in.

The engine for these baselines is OSConfig, and the component of Windows Server that's used more and more to configure and control settings across the OS.

There was a comment in this session that caught my attention -- with these baselines and OSConfig they're matching the capability of CSPs in Intune / MDM management. One of the biggest omissions (in my opinion) in Windows Server is that it doesn't support MDM management, Intune can only manage Windows clients (as well as MacOS, Android and iOS) but with these added features (which don't rely on Group Policy or AD at all) all the important configuration policies are available. And they're backporting this to Windows Server 2022.

Conclusion
While Windows Server doesn't always get the marketing juice that Microsoft's cloud services (and dare I say it Copilot Agents), gets there's a raft of improvements in Windows Server 2025, and as covered in this article, there's more coming in regular updates as well.