Security features in Windows Server 2022

Fine Tuning

Hotpatching in the Cloud

Windows Server 2022 Datacenter Azure Edition is a new variant that can only be used on Azure and Azure Stack hyperconverged infrastructure (HCI). In another part of this article, I highlight the advantages of Azure Stack HCI on the network. In version 21H2, the on-premises installation of Azure also uses features from Windows Server 2022. The current Azure Stack HCI 20H2 version still relies on Windows Server 2019 as the base operating system.

However, Microsoft has also clarified that Azure Stack HCI does not simply rely on Windows Server as the base operating system but actually extends its feature set. Azure Stack HCI 21H2 integrates features that did not make the cut for Windows Server 2022, including various optimizations for Storage Spaces Direct. Azure Stack HCI for HCI volumes includes thin provisioning; this technology is not on board in Windows Server 2022 Datacenter. Support for physical graphics cards for virtual machines (VMs) is also integrated in Azure Stack HCI but is not available in Windows Server 2022. If you rely on clusters on the network, you might want to at least consider using Azure Stack HCI if you migrate to Windows Server 2022.

Stretched clustering (i.e., clusters spanning multiple data centers) is now only possible with Azure Stack HCI. Extended Security Updates, meanwhile, extend support for Microsoft operating systems. These capabilities are only available for VMs on Azure Stack HCI and in Microsoft Azure. These examples are just a few of the feature differences and are interesting for corporations that still rely on Windows Server 2012/2012 R2 or SQL Server 2012. Support for these systems will expire in 2022 or 2023. By the way, Azure Stack HCI billing uses a pay-per-use model.

Another interesting thing from a security perspective is that the Azure Edition supports hotpatching. This technology removes the need to reboot the entire server after an update and, instead, only restarts individual areas of the kernel and the operating system. This simplifies the installation of updates and keeps the server available to users without downtime. Restarting individual elements of the operating system, for example, does not cause workload failures and users will hardly notice a thing. If you want to use the server locally on the network, you can also deploy this edition on Azure Stack HCI 21H2.

SMB over Quick UDP Internet Connections (QUIC) protocol is also a feature only available in Windows Server 2022 Datacenter Azure Edition. Clients use the QUIC protocol for communication rather than TCP. In combination with TLS 1.3, applications can access data in a far more secure way, especially where servers are located on edge networks.

HCI Instead of Shielded VMs

Hyper-V does not have as many innovations as Windows Server 2019, but the changes are still quite significant in terms of security. Again, Windows 11 and Windows Server 2022 are quite similar in terms of innovations. The new features in Hyper-V are also available in Azure Stack HCI 21H2 but are not included in Azure Stack HCI 20H2.

A free Hyper-V server for Windows Server 2022 is no longer available. The last free version is Hyper-V Server 2019. According to the official recommendation, companies looking for a standalone server for virtualization should go for Azure Stack HCI. The downside is that this edition is not available for free. Azure Stack HCI sees Microsoft offer its own operating system, which takes Azure functions and an HCI infrastructure to the data center. Just like Windows Server 2022, Azure Stack HCI can be managed from the Windows Admin Center.

Microsoft has also removed shielded VMs from Windows Server 2022. Although this technology is still integrated in Windows Server 2022, it is no longer under active development and no longer recommended for operation. If you want a secured fabric, you can turn to Azure Stack HCI, according to Microsoft. Microsoft's HCI environment is optimized for the secure operation of VMs.

Windows Server 2022 and Windows 11 see the introduction of a new version 10 for VMs. Windows 10 and Windows Server 2019 still use version 9. If you update a Hyper-V host directly, the VMs will keep the previous version. On the host, you can use the Get-VMHostSupportedVersion cmdlet to check which versions a host supports (Figure 3). The versions of each VM can be seen in Hyper-V Manager and also in the Windows Admin Center. PowerShell lets you view the version of each VM with the cmdlet:

Get-VM * | format-table name, version
Figure 3: PowerShell lets you view supported VM versions on Hyper-V hosts.

To switch to the new version, use the command:

Update VMVersion <name of VM>

For outdated versions, the Upgrade Configuration Version option is available in the contextual menu of the VM in Hyper-V Manager. When creating VMs in PowerShell, you can also control the edition by typing, for example:

New-VM -Name "WindowsCV9" -Version 9.0

Now comes nested virtualization: Windows Server 2022 and Windows 11 support computers with AMD processors. Windows 10 and Server 2019 can only use computers with Intel processors for this technology. Embedded virtualization plays an important role for test and development environments, container hosts, and virtual clusters.

Virtual switches now support Receive Segment Coalescing (RSC) in Windows Server 2022. The switches can combine network packets and send them together. The data is unpacked again on the host or VM for which the segment is intended. Data traffic between virtual network adapters on the same host can also be controlled and optimized in this way, which speeds up network traffic and improves security while reducing the load on the network adapters and hardware of the computers involved. It also significantly reduces the load on the CPUs. Although Windows Server 2019 already supports RSC, Microsoft has significantly upgraded the technology in Windows Server 2022. The settings can be defined on each Hyper-V host. The commands for disabling and enabling are:

Set-VMSwitch -Name vSwitchName -EnableSoftwareRsc $false
Set-VMSwitch -Name vSwitchName -EnableSoftwareRsc $True

You can retrieve the status of the settings with the command:

Get-VMSwitch -Name vSwitchName | Select-Object *RSC*

If several network adapters are available on a Hyper-V host, Windows Admin Center automatically proposes that you create a switch-embedded teaming (SET) switch when you set up new virtual switches. Avoid working with the teaming functions in Windows Server 2022 up front and go for the SET options in the Admin Center instead.

Management with WAC

Microsoft has increasingly been moving features for managing clusters and Hyper-V to the Windows Admin Center, as is also the case for Windows Server 2022, so it makes sense to take a closer look at the WAC options when using Windows Server 2022. Of course, the setting options are still part of the Failover Cluster Manager, but using Windows Admin Center for management tasks typically makes more sense.

Under Virtual machines , you will find the Affinity rules settings, which is where you define how the cluster will position VMs. Windows Server 2022 and the Windows Admin Center offer very extensive options. Windows then stores the rules as a cluster object to keep them available at all times. For example, you can define which VMs will be positioned together on a host and which VMs the cluster will keep apart. Of course, these rules are also available in PowerShell, as are all functions available in the Windows Admin Center or the Failover Cluster Manager as a general rule.

Cluster validation tests are still used in Windows Server 2022 as part of the process of creating and operating a cluster. Microsoft has extended these in Windows Server 2022 to cover more Hyper-V features in the cluster in the tests, optimizing cluster operations and security with Windows Server 2022 and Hyper-V after installation. During the tests, the wizard also checks, for example, the teaming functions of the switches and the RDMA functions.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus