Discover the Innovations of Windows Server 2025: Enhanced Security, Performance, and Flexibility

Windows Server 2025 represents a significant leap forward, delivering cutting-edge features designed to revolutionize your infrastructure management. Building upon the robust foundation of its predecessors, this latest iteration introduces a suite of innovative enhancements focused on bolstering security, optimizing performance, and maximizing flexibility. With advanced storage solutions and seamless integration capabilities within hybrid cloud environments, Windows Server 2025 streamlines infrastructure management, adapting to the evolving demands of modern IT landscapes.

Desktop Experience and Upgrade Enhancements in Server 2025

Windows Server 2025 offers streamlined upgrade paths and a modernized desktop experience, making server management more intuitive and efficient.

Simplified In-Place Upgrades via Windows Update

Upgrading to Server 2025 is now more straightforward, with in-place upgrades available directly through Windows Update. This feature update option, accessible from the Settings dialog, extends to devices running Windows Server 2019 and Windows Server 2022. For Server Core environments, upgrades can be initiated using SConfig. Organizations seeking gradual and controlled upgrades can leverage Group Policy to manage the availability of this optional feature update, ensuring a smooth transition. For detailed guidance, refer to Manage feature updates with Group Policy on Windows Server.

Direct Upgrade Path from Windows Server 2012 R2

Server 2025 significantly simplifies upgrade paths by allowing direct upgrades from Windows Server 2012 R2 and later versions. This capability to skip multiple versions streamlines the upgrade process, reducing complexity and downtime associated with migrating from older systems.

Modernized Desktop Shell Experience

Upon initial login, users are greeted with a desktop shell that mirrors the contemporary design and user interface of Windows 11. This visual refresh provides a more user-friendly and consistent experience across the Windows ecosystem.

Integrated Bluetooth Support

Windows Server 2025 now natively supports Bluetooth connectivity. This addition enables seamless integration with a wide range of peripherals, including mice, keyboards, headsets, and audio devices, enhancing user interaction and flexibility within the server environment.

Native DTrace Command-Line Utility

Server 2025 incorporates dtrace as a built-in command-line tool, empowering administrators with real-time system performance monitoring and troubleshooting capabilities. DTrace allows dynamic instrumentation of both kernel and user-space code without requiring code modifications. This versatile tool supports diverse data collection and analysis methods, including aggregations, histograms, and user-level event tracing. Explore DTrace for command-line assistance and DTrace on Windows for comprehensive feature details.

Enhanced Email and Account Management

Managing accounts in Windows Server 2025 is simplified with the ability to add various account types directly within Windows Settings under Accounts > Email & accounts. Supported account types now include:

Microsoft Entra ID
Microsoft account
Work or school account

While domain join remains essential for many scenarios, this expanded account management provides greater flexibility and integration with modern identity platforms.

Integrated Feedback Hub for Server Improvement

The Windows Feedback Hub is now directly accessible within Server 2025, facilitating user feedback and problem reporting. Users can easily submit feedback and report issues encountered while using Windows Server 2025, including screenshots or recordings to provide detailed context. This direct feedback mechanism helps Microsoft understand user experiences and drive continuous improvement. To learn more, see Explore the Feedback Hub.

Enhanced File Compression Capabilities

Server 2025 introduces a new built-in file compression feature. Accessible via right-click context menu with the “Compress to” option, this feature supports popular compression formats including ZIP, 7z, and TAR, each with specific compression methods. This native compression tool enhances file management and storage efficiency.

Customizable Pinned Apps in the Start Menu

Personalize your Server 2025 experience with customizable pinned apps in the Start menu. Users can now pin frequently used applications for quick access, tailoring the Start menu to their specific workflows. Default pinned apps include:

Azure Arc Setup
Feedback Hub
File Explorer
Microsoft Edge
Server Manager
Settings
Terminal
Windows PowerShell

Modernized Task Manager with Mica Material

Windows Server 2025 features a redesigned Task Manager app, adopting the modern design language of Windows 11 with Mica material. This visual update provides a more contemporary and visually appealing user interface for system monitoring and management.

Default Wireless LAN Service Installation

Enabling wireless capabilities is now easier as the Wireless LAN Service feature is installed by default in Server 2025. While the wireless startup service is set to manual, it can be readily enabled by running net start wlansvc in the command prompt, Windows Terminal, or PowerShell, simplifying wireless network configuration.

Windows Terminal Pre-installed

The Windows Terminal, a powerful and versatile multi-shell application for command-line users, comes pre-installed in Windows Server 2025. Users can easily access it by searching for “Terminal” in the search bar, providing immediate access to a modern command-line environment.

WinGet Package Manager Included by Default

Server 2025 includes WinGet by default, a command-line Windows Package Manager tool. WinGet streamlines application installation and management on Windows devices, offering comprehensive package management solutions. For more information, see Use the WinGet tool to install and manage applications.

Advanced Multilayer Security Innovations in Server 2025

Security is paramount in Windows Server 2025, with significant advancements in multilayer protection to safeguard your critical infrastructure.

Hotpatch (Preview) for Azure Arc-Connected Servers

Windows Server 2025 introduces Hotpatch (preview), a groundbreaking feature for Azure Arc-connected machines. Once enabled in the Azure Arc portal, Hotpatch allows applying OS security updates without requiring server restarts. This significantly minimizes downtime and maximizes system availability while maintaining robust security posture. To learn more, see Hotpatch.

Credential Guard Enabled by Default

Starting with Windows Server 2025, Credential Guard is enabled by default on systems meeting the hardware and firmware prerequisites. This critical security feature protects credentials from theft and reuse by isolating secrets in a hardware-based virtualized environment, significantly enhancing protection against credential-based attacks. For detailed information, see Configure Credential Guard.

Active Directory Domain Services (AD DS) Enhancements

Server 2025 brings a range of enhancements to Active Directory Domain Services (AD DS) and Active Directory Lightweight Domain Services (AD LDS), optimizing domain management and security:

Optional 32k Database Page Size: AD DS now offers an optional 32k database page size, a significant evolution from the legacy 8k page size used since Windows 2000. This expansion addresses limitations related to object size and multivalued attributes. New domain controllers (DCs) can be installed with a 32k-page database, while existing DCs can continue using the 8k format for compatibility. Forest-wide adoption of 32k pages requires all DCs in the forest to be 32k-capable.
Active Directory Schema Updates: Three new log database files (sch89.ldf, sch90.ldf, and sch91.ldf) extend the Active Directory schema, with corresponding updates in MS-ADAM-Upgrade3.ldf for AD LDS. Refer to Windows Server Active Directory schema updates for details on previous schema updates.
Active Directory Object Repair: Enterprise administrators gain the ability to repair objects with missing core attributes (SamAccountType and ObjectCategory) and reset the LastLogonTimeStamp attribute. These operations are facilitated through a new fixupObjectState modify operation on the RootDSE object.
Channel Binding Audit Support: Enhanced auditing capabilities for Lightweight Directory Access Protocol (LDAP) channel binding are introduced with events 3074 and 3075. These events help administrators identify devices that do not support or fail channel binding, especially when enforcing stricter channel binding policies. These audit events are also available in Windows Server 2022 and later via KB4520412.
DC-Location Algorithm Improvements: The domain controller discovery algorithm is refined with improved mapping of short NetBIOS-style domain names to DNS-style domain names. For further information, consult Locating domain controllers in Windows and Windows Server. Note that Windows no longer uses mailslots during DC discovery due to the deprecation of WINS and mailslots.
Forest and Domain Functional Levels: A new functional level is introduced for general supportability and is mandatory for the 32k database page size feature. This level corresponds to DomainLevel 10 and ForestLevel 10 for unattended installations. Microsoft does not plan to backport functional levels to Windows Server 2019 and Windows Server 2022. Unattended DC promotion and demotion details are available in DCPROMO answer file syntax for unattended promotion and demotion of domain controllers. The DsGetDcName API now supports the DS_DIRECTORY_SERVICE_13_REQUIRED flag to locate Windows Server 2025 DCs. New Active Directory forests or AD LDS configuration sets require a functional level of Windows Server 2016 or later, and replica promotion requires the existing domain or configuration set to be at Windows Server 2016 functional level or higher. Microsoft recommends planning upgrades to Windows Server 2022 for Active Directory and AD LDS servers in preparation for future releases.
Improved Algorithms for Name/SID Lookups: Local Security Authority (LSA) Name and SID Lookup forwarding between machine accounts now leverages Kerberos authentication and the DC Locator algorithm instead of the legacy Netlogon secure channel. Netlogon secure channel remains as a fallback for legacy OS compatibility.
Enhanced Security for Confidential Attributes: DCs and AD LDS instances now restrict LDAP operations involving confidential attributes (add, search, modify) to encrypted connections only, bolstering data confidentiality.
Improved Security for Default Machine Account Passwords: Active Directory now utilizes randomly generated default computer account passwords. Windows 2025 DCs prevent setting computer account passwords to the default computer account name. This behavior is controlled by the Group Policy Object (GPO) setting Domain controller: Refuse setting default machine account password located in Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity Options. Tools like ADAC, ADUC, net computer, and dsmod adhere to this new behavior, and ADAC and ADUC no longer allow creation of pre-Windows 2000 accounts.
Kerberos PKINIT Support for Cryptographic Agility: The Kerberos Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) protocol implementation is updated to support cryptographic agility by accommodating more algorithms and removing hardcoded algorithms.
LAN Manager GPO Setting Deprecation: The GPO setting Network security: Don’t store LAN Manager hash value on next password change is deprecated and no longer applicable to newer Windows versions.
LDAP Encryption by Default: All LDAP client communication following a Simple Authentication and Security Layer (SASL) bind now uses LDAP sealing by default. For more information on SASL, refer to SASL Authentication.
LDAP Support for TLS 1.3: LDAP leverages the latest SCHANNEL implementation and supports TLS 1.3 for LDAP over TLS connections. TLS 1.3 enhances security and eliminates obsolete cryptographic algorithms. Explore Protocols in TLS/SSL (Schannel SSP) and TLS Cipher Suites in Windows Server 2022 for more details.
Legacy Security Account Manager (SAM) Remote Procedure Call (RPC) Password Change Behavior: Secure protocols like Kerberos are the preferred method for domain user password changes. On DCs, the latest SAM RPC password change method SamrUnicodeChangePasswordUser4 using Advanced Encryption Standard (AES) is accepted by default for remote calls. Legacy SAM RPC methods are blocked by default for remote calls. For domain users in the Protected Users group and local accounts on domain member computers, all remote password changes via the legacy SAM RPC interface, including SamrUnicodeChangePasswordUser4, are blocked by default. This behavior is configurable via the GPO setting: Computer Configuration > Administrative Templates > System > Security Account Manager > Configure SAM change password RPC methods policy.
Non-Uniform Memory Access (NUMA) Support: AD DS now utilizes NUMA-capable hardware, leveraging CPUs across all processor groups, expanding beyond the previous limitation of group 0 and enabling scalability beyond 64 cores.
Performance Counters: New performance counters are available for monitoring and troubleshooting:
- DC Locator: Client and DC-specific counters.
- LSA Lookups: Name and SID Lookups through LsaLookupNames, LsaLookupSids, and equivalent APIs, available on both client and server versions.
- LDAP client: Available in Windows Server 2022 and later via the KB 5029250 update.
Replication Priority Order: Administrators can now elevate the system-calculated replication priority for specific naming contexts with a particular replication partner, providing greater control over replication order in specific scenarios.

Delegated Managed Service Account (dMSA)

Server 2025 introduces Delegated Managed Service Accounts (dMSA), facilitating migration from traditional service accounts. dMSAs utilize managed and randomized keys, minimizing application changes while disabling original service account passwords, enhancing security and manageability. For more details, see Delegated Managed Service Accounts overview.

Enhanced Windows Local Administrator Password Solution (LAPS)

Windows LAPS in Server 2025 receives significant enhancements, providing improved local administrator password management:

Automated Account Management: IT administrators can easily create and manage local accounts, customizing account names, enabling/disabling accounts, and even randomizing account names for enhanced security. This feature improves integration with existing Microsoft local account management policies. Learn more at Windows LAPS account management modes.
Image Rollback Detection: Windows LAPS now detects image rollbacks and automatically rotates passwords if a rollback is detected, preventing “torn state” issues where the Active Directory password becomes out of sync with the local device password. This feature uses the msLAPS-CurrentPasswordVersion Active Directory attribute. Enable this feature by running the latest Update-LapsADSchema cmdlet.
Passphrase Support: Windows LAPS now supports generating less complex, more readable passphrases (e.g., “EatYummyCaramelCandy”) in addition to traditional complex passwords. The PasswordComplexity policy setting allows selection from three different word lists for passphrases, and the PassphraseLength policy controls the number of words. Word lists are sourced from the Electronic Frontier Foundation’s Deep Dive: EFF’s New Wordlists for Random Passphrases. Windows LAPS Passphrase Word Lists are available for download under the CC-BY-3.0 attribution license. Custom word lists are not supported.
Improved Readability Password Dictionary: A new PasswordComplexity setting (value 5) enhances password readability by excluding visually similar and confusing characters (e.g., ‘I’, ‘l’, ‘1’, ‘0’, ‘O’). This setting aims to improve password usability without compromising security.
Post-Authentication Action (PAA) Process Termination: A new PAA option, Reset the password, sign out the managed account, and terminate any remaining processes, expands on the previous PAA options. This option terminates interactive sign-in sessions and enumerates and terminates any remaining processes running under the managed local account, providing enhanced post-authentication control. Expanded logging events for PAA execution offer deeper operational insights.

For a comprehensive understanding of Windows LAPS, refer to What is Windows LAPS?.

OpenSSH Installed by Default

OpenSSH, a crucial connectivity tool, is now installed by default in Windows Server 2025 server-side components, eliminating the need for manual installation. The Server Manager UI includes a one-step option under Remote SSH Access to enable or disable the sshd.exe service. The OpenSSH Users group allows granular access control. For more information, see OpenSSH for Windows overview.

Security Baseline Implementation

Server 2025 facilitates proactive security posture management through customized security baselines. This baseline includes over 350 preconfigured Windows security settings, aligning with Microsoft and industry best practices. Administrators can apply and enforce specific security settings from the outset for devices or VM roles. To learn more, see OSConfig overview.

Virtualization-Based Security (VBS) Enclaves

VBS enclaves in Server 2025 provide software-based trusted execution environments within a host application’s address space. Utilizing underlying VBS technology, VBS enclaves isolate sensitive application components in secure memory partitions, protecting workloads from both the host application and the broader system, minimizing trust requirements for administrators and hardening against attacks. For more information, consult the VBS enclaves Win32 reference.

Virtualization-Based Security (VBS) Key Protection

VBS key protection enables Windows developers to secure cryptographic keys using VBS. Keys are isolated within a secure process, with operations occurring without exposing private key material outside this protected space. At rest, TPM keys encrypt private key material, binding VBS keys to the device, preventing exfiltration attacks. VBS must be enabled to utilize key protection. For enabling VBS, see Enable memory integrity.

Secured Connectivity Enhancements

Server 2025 strengthens connection security through various improvements.

Secure Certificate Management

Certificate management in Windows Server 2025 enhances security by supporting SHA-256 hashes in certificate searching and retrieval functions like CertFindCertificateInStore and CertGetCertificateContextProperty. TLS server authentication now mandates a minimum RSA key length of 2,048 bits for enhanced security. Refer to TLS server authentication: Deprecation of weak RSA certificates for more details.

SMB over QUIC Now Standard

The SMB over QUIC server feature, previously exclusive to Windows Server Azure Edition, is now available in both Windows Server Standard and Datacenter editions. SMB over QUIC leverages the QUIC protocol for low-latency, encrypted internet connections.

SMB over QUIC Enablement Policy

Administrators can manage SMB over QUIC client functionality via Group Policy and PowerShell. Disabling SMB over QUIC through Group Policy involves setting the Enable SMB over QUIC policy to Disabled in:

Computer ConfigurationAdministrative TemplatesNetworkLanman Workstation
Computer ConfigurationAdministrative TemplatesNetworkLanman Server

PowerShell disabling is achieved with the command:

Set-SmbClientConfiguration -EnableSMBQUIC $false

SMB Signing and Encryption Auditing

Server 2025 introduces SMB server and client auditing for SMB signing and encryption support. This allows detection of non-Microsoft clients or servers lacking SMB encryption or signing capabilities. Deviation from the SMB 3.1.1 Pre-authentication integrity protocol requirement by devices claiming SMB 3.1.1 support but failing to support signing can be identified.

Auditing settings are configurable via Group Policy or PowerShell in these paths:

Computer ConfigurationAdministrative TemplatesNetworkLanman ServerAudit client does not support encryption
Computer ConfigurationAdministrative TemplatesNetworkLanman ServerAudit client does not support signing
Computer ConfigurationAdministrative TemplatesNetworkLanman WorkstationAudit server does not support encryption
Computer ConfigurationAdministrative TemplatesNetworkLanman WorkstationAudit server does not support signing

PowerShell commands for enabling auditing (using $true; $false to disable) are:

Set-SmbServerConfiguration -AuditClientDoesNotSupportEncryption $true
Set-SmbServerConfiguration -AuditClientDoesNotSupportSigning $true
Set-SmbClientConfiguration -AuditServerDoesNotSupportEncryption $true
Set-SmbClientConfiguration -AuditServerDoesNotSupportSigning $true

Event logs are stored in Event Viewer under:

Path	Event ID
Applications and Services LogsMicrosoftWindowsSMBClientAudit	31998 31999
Applications and Services LogsMicrosoftWindowsSMBServerAudit	3021 3022

SMB over QUIC Auditing

SMB over QUIC connection auditing logs events, including QUIC transport details, in Event Viewer under:

Path	Event ID
Applications and Services LogsMicrosoftWindowsSMBClientConnectivity	30832
Applications and Services LogsMicrosoftWindowsSMBServerConnectivity	1913

SMB over QUIC Client Access Control

Server 2025 implements client access control for SMB over QUIC, enhancing security for edge file server connectivity over untrusted networks. Certificate-based access controls provide granular restrictions to data access. For more information, see How client access control works.

SMB Alternative Ports

SMB clients in Server 2025 can connect to alternative TCP, QUIC, and RDMA ports beyond the default IANA/IETF ports (445, 5445, and 443). Alternative port configuration is possible via Group Policy or PowerShell. SMB over QUIC now supports UDP/443 ports for both server and client devices. For details, refer to Configure alternative SMB ports.

SMB Firewall Rule Hardening

SMB share creation in Server 2025 now automatically configures the new File and Printer Sharing (Restrictive) firewall group, replacing the previous File and Printer Sharing group. This enhanced rule set no longer permits inbound NetBIOS ports 137-139, strengthening firewall security. See Updated firewall rules for more information.

Enforced SMB Encryption

Enforce SMB encryption is mandated for all outbound SMB client connections in Server 2025. Administrators can enforce that all destination servers support SMB 3.x and encryption; clients will fail to connect to servers lacking these capabilities.

SMB Authentication Rate Limiter

The SMB authentication rate limiter, enabled by default, mitigates brute-force authentication attacks by limiting authentication attempts within a time period. The SMB server service introduces delays between failed NTLM- or PKU2U-based authentication attempts. Learn more at How SMB authentication rate limiter works.

SMB NTLM Blocking

Server 2025 SMB client supports NTLM blocking for remote outbound connections. This enhancement restricts SPNEGO negotiation to Kerberos and other secure mechanisms, enhancing security by preventing NTLM usage. For more information, see Block NTLM connections on SMB.

SMB Dialect Control

Administrators gain granular control over SMB dialects in Windows. The SMB server can be configured to negotiate specific SMB 2 and SMB 3 dialects, rather than solely the highest dialect, providing greater compatibility and control.

SMB Signing Required by Default

SMB signing is now mandatory by default for all outbound SMB connections, expanding beyond the previous requirement only for SYSVOL and NETLOGON shares on Active Directory DCs. For details on signing, see How signing works.

Remote Mailslot Disabled by Default

The Remote Mailslot protocol is disabled by default for SMB and DC Locator protocol usage with Active Directory in Server 2025 and may be removed in future releases. See Features we’re no longer developing for more information.

Routing and Remote Access Services (RRAS) Hardening

New RRAS installations in Server 2025, by default, block VPN connections based on PPTP and L2TP, enhancing security by discouraging weaker VPN protocols. SSTP and IKEv2 VPN connections remain accepted. Existing RRAS configurations retain their prior behavior. Re-enabling PPTP and L2TP is possible if necessary; see Configure VPN protocols. This change does not affect Windows client operating systems.

Hyper-V, AI, and Performance Optimizations in Server 2025

Windows Server 2025 delivers significant advancements in Hyper-V, AI capabilities, and overall performance.

Accelerated Networking (AccelNet)

Accelerated Networking (AccelNet) simplifies SR-IOV management for VMs on Windows Server 2025 clusters. AccelNet utilizes the high-performance SR-IOV data path, reducing latency, jitter, and CPU utilization. It includes a management layer for prerequisite checks, host configuration, and VM performance settings. For more information, see Accelerated Networking at the Edge (preview).

Generation 2 VMs as Default in Hyper-V Manager

Hyper-V Manager now defaults to Generation 2 VMs in the New Virtual Machine Wizard. Generation 2 VMs offer modern features and improved performance compared to Generation 1, making them the preferred choice for most workloads.

Hypervisor-Enforced Paging Translation (HVPT)

Hypervisor-enforced paging translation (HVPT) enhances security by enforcing linear address translation integrity. HVPT protects critical system data from write-what-where attacks, safeguarding page tables configuring critical system data structures, encompassing areas already secured by hypervisor-protected code integrity (HVCI). HVPT is enabled by default where hardware support is available but is disabled when Server 2025 runs as a VM guest.

GPU Partitioning (GPU-P) Enhancements

GPU partitioning allows sharing a physical GPU among multiple VMs. Hyper-V GPU-P high availability in Server 2025 automatically enables GPU-P VMs on another cluster node in case of unplanned downtime. GPU-P Live Migration facilitates moving GPU-P VMs between nodes for planned downtime or load balancing in both standalone and clustered environments. For more details, see GPU partitioning.

Dynamic Processor Compatibility Mode Updates

Dynamic processor compatibility mode is updated to leverage new processor capabilities within clustered environments. It utilizes the maximum processor features available across cluster servers, enhancing performance over previous compatibility modes. This mode also saves state between virtualization hosts using different processor generations, offering improved dynamic capabilities on processors with second-level address translation. Learn more at Dynamic processor compatibility mode.

Workgroup Clusters for Hyper-V

Hyper-V workgroup clusters in Server 2025 enable live migration of VMs within a Windows Server Failover Cluster where Hyper-V cluster nodes are not Active Directory domain members, providing greater deployment flexibility.

Network ATC for Streamlined Network Configuration

Network ATC simplifies network configuration deployment and management for Windows Server 2025 clusters. This intent-based approach allows users to specify desired network intents (management, compute, storage) for network adapters, automating configuration based on these intents. Network ATC reduces deployment time, complexity, and errors, ensuring configuration consistency and eliminating configuration drift. To learn more, see Deploy host networking with Network ATC.

Enhanced Hyper-V Scalability

Hyper-V in Server 2025 significantly expands scalability, now supporting up to 4 petabytes of memory and 2,048 logical processors per host, enabling larger and more performant virtualized workloads. Generation 2 VMs now support up to 240 TB of memory and 2,048 virtual processors, providing increased flexibility for demanding workloads. See Plan for Hyper-V scalability in Windows Server for planning details.

Storage Innovations in Server 2025

Server 2025 introduces several storage enhancements focused on performance and efficiency.

Block Cloning Support for Dev Drive

Dev Drive in Server 2025 now supports block cloning, leveraging the Resilient File System (ReFS) for significant performance gains during file copying. Block cloning enables file system-level byte range copying as low-cost metadata operations, reducing I/O overhead and improving storage capacity by enabling multiple files to share logical clusters. For more information, see Block cloning on ReFS.

Dev Drive for Developer Workload Optimization

Dev Drive, a storage volume utilizing ReFS, is designed to optimize performance for developer workloads. It offers enhanced control over storage volume settings and security, allowing administrators to designate trust, configure antivirus settings, and manage attached filters. To learn more, see Set up a Dev Drive on Windows 11.

NVMe Storage Performance Optimizations

Windows Server 2025 optimizes NVMe storage performance, enhancing IOPS and reducing CPU utilization for fast solid-state drives. This optimization improves overall storage responsiveness and efficiency.

Storage Replica Compression

Storage Replica compression in Server 2025 reduces network data transfer during replication, optimizing bandwidth usage and replication efficiency. For details on Storage Replica compression, see Storage Replica overview.

Storage Replica Enhanced Log

Storage Replica Enhanced Log improves log implementation, eliminating performance overhead associated with file system abstractions and enhancing block replication performance. For more information, see Storage Replica Enhanced Log.

ReFS Native Storage Deduplication and Compression

ReFS native storage deduplication and compression in Server 2025 optimize storage efficiency for both static and active workloads, such as file servers and virtual desktops. To learn more about ReFS deduplication and compression, see Optimize storage with ReFS deduplication and compression in Azure Local.

Thin Provisioned Volumes with Storage Spaces Direct

Thin provisioned volumes with Storage Spaces Direct in Server 2025 enable efficient storage resource allocation, preventing over-allocation by allocating from the pool only when needed. Conversion from fixed to thin provisioned volumes is supported, returning unused storage to the pool. For more information, see Storage thin provisioning.

SMB Compression with LZ4 Algorithm

Server 2025 SMB introduces support for the industry-standard LZ4 compression algorithm, expanding beyond existing XPRESS (LZ77), XPRESS Huffman (LZ77+Huffman), LZNT1, and PATTERN_V1 support. LZ4 compression enhances SMB performance and reduces network bandwidth consumption.

Azure Arc and Hybrid Cloud Integration in Server 2025

Windows Server 2025 strengthens Azure Arc and hybrid cloud capabilities, simplifying management and expanding hybrid functionalities.

Simplified Azure Arc Setup

Azure Arc Setup is pre-installed as a Feature on Demand in Server 2025. A user-friendly wizard and system tray icon streamline the process of onboarding servers to Azure Arc, extending Azure platform capabilities to diverse environments including datacenters, edge locations, and multicloud deployments, enhancing hybrid flexibility. For more information, see Connect Windows Server machines to Azure through Azure Arc Setup.

Azure Arc Pay-as-you-go Licensing

Server 2025 offers Azure Arc pay-as-you-go subscription licensing as an alternative to perpetual licensing. This option enables deploying and licensing Windows Server instances and paying only for actual usage, billed through Azure subscriptions and facilitated by Azure Arc. To learn more, see Azure Arc pay-as-you-go licensing.

Windows Server Management Enabled by Azure Arc Benefits

Windows Server Management enabled by Azure Arc provides enhanced benefits for customers with active Software Assurance or subscription licenses for Windows Server 2025, including:

Windows Admin Center in Azure Arc: Seamless integration of Windows Admin Center with Azure Arc allows managing Windows Server instances directly from the Azure Arc portal, providing a unified management experience across on-premises, cloud, and edge environments.
Remote Support: Secure, just-in-time remote support access with detailed execution transcripts and revocation rights for professional support engagements.
Best Practices Assessment: Automated collection and analysis of server data, generating issue identification, remediation guidance, and performance improvement recommendations.
Azure Site Recovery Configuration: Streamlined configuration of Azure Site Recovery for business continuity, enabling replication and data resilience for critical workloads.

For detailed information on Windows Server Management enabled by Azure Arc and its benefits, see Windows Server Management enabled by Azure Arc.

Software-Defined Networking (SDN) Advancements in Server 2025

Server 2025 SDN introduces several advancements, enhancing network management flexibility and performance.

Network Controller as Failover Cluster Service

The SDN Network Controller is now hosted directly as Failover Cluster services on physical host machines, eliminating the need for dedicated VMs. This simplification streamlines deployment, management, and resource utilization.

Tag-Based Segmentation

Administrators can now utilize custom service tags to associate network security groups (NSGs) and VMs for access control. Tag-based segmentation simplifies NSG management by using descriptive labels instead of IP ranges, improving network security policy management. To learn more, see Configure network security groups with tags in Windows Admin Center.

Default Network Policies for Enhanced Security

Server 2025 SDN introduces default network policies, mirroring Azure-like protection options for NSGs deployed via Windows Admin Center. These policies deny all inbound access by default, selectively allowing well-known inbound ports while permitting full outbound access, ensuring workload VM security from creation. See Use default network access policies on virtual machines on Azure Local, version 23H2 for more details.

SDN Multisite for Cross-Location Connectivity

SDN Multisite provides native layer 2 and layer 3 connectivity between applications across two locations without additional components. This feature enables seamless application mobility without reconfiguration and offers unified network policy management across locations. To learn more, see What is SDN Multisite?.

Enhanced SDN Layer 3 Gateway Performance

SDN layer 3 gateways in Server 2025 achieve higher throughput and reduced CPU utilization by default, improving performance for SDN gateway layer 3 connections configured via PowerShell or Windows Admin Center.

Windows Containers Portability

Container portability in Server 2025 simplifies upgrades and enhances container flexibility and compatibility. Users can move container images and associated data between hosts or environments without modifications, ensuring consistent deployment across different infrastructures. To learn more, see Portability for containers.

Windows Server Insider Program

The Windows Server Insider Program provides early access to the latest Windows Server OS releases. Members can participate in different release channels and explore new features and concepts under development. Access the program through Start > Settings > Windows Update > Windows Insider Program.