Bringing Reliability to the Edge: Azure SRE Agent Meets Windows Server 2025 with Arc for Adaptive Cloud

The next wave of hybrid cloud operations is no longer about simply connecting servers to Azure—it’s about giving every workload, wherever it runs, the same intelligent operational experience as native cloud services. With Windows Server 2025, Azure Arc, and the new Microsoft Azure SRE Agent, Microsoft is closing the gap between cloud and datacenter in a way that finally feels unified.

This post explores how these technologies fit together and why they matter for modern SRE, operations, and hybrid cloud engineering.

Why Azure SRE Agent Changes the Game

Azure SRE Agent is Microsoft’s new operational automation platform designed to reduce toil, accelerate incident response, and build institutional knowledge over time. It’s not just a bot—it’s an AI‑driven operational brain that learns your environment and executes tasks across Azure and hybrid systems.

• It automates operational work so teams can focus on high‑value tasks
• It connects observability tools, incident platforms, and source code systems to automate end‑to‑end workflows
• It continuously builds expertise on your environment and remembers every investigation
• It manages all Azure services through Azure CLI and REST APIs, including compute, storage, networking, databases, and monitoring

What makes SRE Agent unique is its learning loop. Every incident, every triage, every fix becomes part of a persistent knowledge base that never leaves your environment. New engineers ramp faster, and on‑call becomes more consistent and predictable.

Windows Server 2025: Built for Adaptive Cloud

Windows Server 2025 is the most cloud‑aligned release of Windows Server to date. It brings:

• Deep Azure Arc integration
• Modernized SMB, storage, and security
• Hotpatching for non‑Azure VMs
• Enhanced virtualization and container support
• A platform designed for Adaptive Cloud—Microsoft’s strategy to unify cloud and edge operations

But the real magic happens when you connect Windows Server 2025 to Azure Arc and layer the SRE Agent on top.

Azure Arc: The Bridge to Adaptive Cloud

Azure Arc turns any server—physical, virtual, on‑premises, or multi‑cloud—into a first‑class Azure resource. For Windows Server 2025, Arc is not an add‑on; it’s the operational backbone.

With Arc, you get:

• Azure Policy for servers
• Azure Monitor and Log Analytics
• Update management
• Security baselines
• Inventory and change tracking
• GitOps for configuration
• Arc‑enabled VM extensions (including custom agents)

This is where the SRE Agent fits perfectly.

How Azure SRE Agent Complements Arc‑Enabled Windows Server 2025

1. Unified Observability and Incident Automation

Arc brings Windows Server 2025 into Azure Monitor and Log Analytics.
SRE Agent then uses those signals to:

• Automate triage
• Trigger runbooks
• Correlate recurring alerts
• Reduce alert fatigue
• Generate weekly hygiene and monthly threshold audits

Because SRE Agent integrates natively with Azure Monitor alerts, Application Insights, and Log Analytics, it becomes the automation layer on top of Arc’s observability foundation.

2. Runbooks and Subagents for Hybrid Operations

SRE Agent supports:

• Custom runbooks
• Azure CLI automation
• REST API calls
• Subagents for specialized services (VMs, databases, networking)

This means you can automate:

• Windows Server 2025 patching
• Storage troubleshooting
• Network diagnostics
• Service restarts
• Log collection
• Configuration drift correction

All triggered by alerts, schedules, or incidents.

3. Institutional Knowledge for Hybrid Environments

Every investigation teaches the agent something new:

• Root causes
• Resolution steps
• Team preferences
• Operational patterns

This knowledge persists across conversations and across your hybrid estate.
For organizations with large Windows Server fleets, this is transformative.

4. Consistent Operations Across Cloud and Datacenter

Adaptive Cloud is about making on‑prem feel like Azure.
With Arc + SRE Agent:

• Azure Monitor alerts → same experience
• Incident workflows → same experience
• Automation → same experience
• Knowledge base → shared across environments

Windows Server 2025 becomes a true extension of Azure—not just connected, but operationally unified.

A Practical Example: Automated Incident Response on Windows Server 2025

Imagine a Windows Server 2025 VM running on‑prem, Arc‑enabled, and monitored by Azure Monitor.

1. Disk latency spikes
   Azure Monitor fires an alert.
2. SRE Agent receives the alert
   It correlates with similar incidents from the past month.
3. Agent runs diagnostics
   Using Azure CLI and REST API automation through Arc.
4. Agent identifies the root cause
   A runaway process consuming I/O.
5. Agent mitigates automatically
   • Restarts the service
   • Collects logs
   • Updates the incident ticket
   • Suggests preventive actions based on historical patterns

This is not theoretical—this is exactly what SRE Agent is designed to do.

Why This Matters for SRE and Ops Teams

Less Toil, More Engineering

SRE Agent automates the repetitive work that burns out on‑call engineers.

Faster MTTR

Automated triage and mitigation reduce downtime dramatically.

Better On‑Call Experience

New engineers inherit the agent’s knowledge from day one.

Consistent Hybrid Operations

Arc + SRE Agent gives you a single operational model across cloud and datacenter.

Future‑Proofing

Windows Server 2025 is built for Adaptive Cloud, and SRE Agent is the automation engine that makes it real.

Conclusion: The Future of Hybrid Reliability Engineering

The combination of:

• Windows Server 2025
• Azure Arc
• Azure SRE Agent

creates a hybrid environment where operational excellence is built‑in, not bolted on.

SRE Agent brings intelligence and automation.
Arc brings governance and observability.
Windows Server 2025 brings a modern, cloud‑aligned OS.

Together, they deliver the most complete Adaptive Cloud experience Microsoft has ever offered.

If you’re building a hybrid environment that needs reliability, automation, and consistency, this trio should be at the top of your roadmap.
Important Note: Always test first this configuration in a test environment before you go into production.

Here you find more information about Azure SRE Agent to get Started

Step‑by‑Step: Deploying SRE Agent for Arc‑Enabled Servers

Below is a practical, engineering‑focused workflow you can use in production.

1. Prerequisites

Before deploying SRE Agent, ensure:

Windows Server 2025 is Arc‑enabled

Your server must appear as a connected machine in Azure Arc.

Azure Monitor Agent (AMA) is installed

SRE Agent relies on metrics, logs, and alerts from Azure Monitor to drive investigations and automations.

Log Analytics workspace is configured

This is where SRE Agent queries logs and correlates signals during root cause analysis.

You have permissions

You need:

• Azure Contributor (or custom role with ARM + extension permissions)
• Ability to deploy VM extensions to Arc machines

2. Create Your SRE Agent in the Portal

• “Create and set up your first agent” is the starting point for onboarding

In Azure Portal:

1. Search for Azure SRE Agent
2. Select Create Agent (NEW then you go to https://sre.azure.com)
   
3. Sign in with your Azure Account.
   
4. Choose:
   • Subscription
   • Resource group
   • Region
     
5. Assign an Agent name
6. Select your Model provider ( Important: Learn more about your data protection)
7. Link your Log Analytics workspace

This creates the operational brain that will manage your hybrid servers.

3. Connect SRE Agent to Your Arc‑Enabled Servers

SRE Agent works across any Azure resource accessible via ARM, Azure CLI, or REST APIs

For Arc‑enabled servers, this means:

Option A — Use the SRE Agent Portal

Option B — Use Azure CLI

az sre agent resource add \

This registers the server so SRE Agent can query logs, metrics, and run automations.

4. Add Runbooks, Docs, and Custom Logic

You can “enhance your agent with runbooks, architecture docs, and domain‑specific custom agents”

For Windows Server 2025, common runbooks include:

• Restarting Windows services
• Collecting event logs
• Checking disk latency
• Resetting IIS pools
• Running PowerShell remediation scripts
• Triggering Arc extension installs

Upload these into the SRE Agent portal under Automation.

5. Configure Alerts to Trigger SRE Agent

SRE Agent delivers “autonomous incident response” by reacting to Azure Monitor alerts

For Arc‑enabled servers:

1. Open Azure Monitor → Alerts
2. Create rules for:
   • CPU spikes
   • Memory pressure
   • Disk latency
   • Service crashes
   • Security events
3. Set Action Group → SRE Agent

Now SRE Agent will automatically:

• Gather context
• Query logs, metrics, traces
• Identify root cause
• Suggest or execute mitigations

6. Enable Scheduled Tasks for Routine Operations

SRE Agent can run scheduled tasks for routine operations

For Windows Server 2025, useful schedules include:

• Daily health checks
• Weekly patch compliance scans
• Monthly configuration drift audits
• Log cleanup routines
• Certificate expiry checks

These tasks run across Arc‑enabled servers without needing Azure Automation or DSC.

7. Let the Agent Learn Your Environment

SRE Agent improves over time:

• Day 1: Answers questions, runs queries, analyzes metrics
• Week 1: Learns team patterns and critical metrics
• Month 1: Recognizes recurring issues and applies past learnings automatically

This is especially powerful in hybrid environments where operational knowledge is often tribal and undocumented.

What You Gain After Deployment

Once SRE Agent is fully connected to your Arc‑enabled Windows Server 2025 fleet, you get:

1. Autonomous Incident Response

Triggered by Azure Monitor alerts, SRE Agent performs triage, root cause analysis, and remediation.

2. Multi‑Signal Correlation

It queries logs, metrics, traces, and deployment history simultaneously to identify issues faster

3. Extensible Automation

Built‑in connectors plus MCP integrations for Slack, Jira, Datadog, and internal APIs

4. Knowledge That Never Leaves

Every investigation is stored as persistent operational knowledge for your team

5. Unified Hybrid Operations

Arc + SRE Agent gives you a consistent operational model across cloud and datacenter.

Conclusion

Deploying Azure SRE Agent on Arc‑enabled Windows Server 2025 is one of the most impactful steps you can take toward a true Adaptive Cloud environment. You get:

• Cloud‑grade automation
• Hybrid observability
• AI‑driven incident response
• Persistent operational knowledge
• A unified experience across your entire estate

This is the future of hybrid SRE — and it’s available today!

 

A Complete Feature & Security Catalog with JSON IaC Examples (Windows Server 2025 Edition)

Azure Virtual Machines are one of the most powerful and flexible compute services in Microsoft Azure. Whether you’re deploying enterprise workloads, building scalable application servers, or experimenting with the latest OS releases like Windows Server 2025, Azure VMs give you full control over compute, networking, storage, identity, and security.

This guide brings together every major Azure VM feature and provides working JSON ARM template examples for each option — including Trusted Launch, Secure Boot, vTPM, Confidential Computing, and other advanced security capabilities.

What are Azure Resource Manager templates (ARM)? Read this first for more information about the basic of JSON templates

This is the unified reference  — now available in one place.

---

Table of Contents

1. Compute & VM Sizes
2. OS Images (Windows Server 2025)
3. OS Disk Options
4. Data Disks
5. Networking
6. Public IP Options
7. Boot Diagnostics
8. Managed Identity
9. VM Generation (Gen2)
10. Availability Options
11. VM Extensions
12. Disk Encryption
13. Azure AD Login
14. Just-In-Time Access
15. Defender for Cloud
16. Load Balancer Integration
17. Private Endpoints
18. Auto-Shutdown
19. Spot VM
20. Azure Hybrid Benefit
21. Dedicated Host
22. Backup
23. Update Management
24. Azure Compute Gallery
25. VM Scale Sets
26. WinRM
27. Guest Configuration
28. Trusted Launch (Secure Boot, vTPM, Integrity Monitoring)
29. Confidential Computing (AMD SEV‑SNP / Intel TDX)
30. Additional Security Hardening Settings
31. Resource Locks

---

1. Compute & VM Sizes

"hardwareProfile": {
  "vmSize": "D4s_v5"
}

---

2. OS Image (Windows Server 2025)

"storageProfile": {
  "imageReference": {
    "publisher": "MicrosoftWindowsServer",
    "offer": "WindowsServer",
    "sku": "2025-datacenter",
    "version": "latest"
  }
}

---

3. OS Disk Options

Premium SSD

"osDisk": {
  "createOption": "FromImage",
  "managedDisk": {
    "storageAccountType": "Premium_LRS"
  }
}

Standard SSD

"osDisk": {
  "createOption": "FromImage",
  "managedDisk": {
    "storageAccountType": "StandardSSD_LRS"
  }
}

---

4. Data Disks

Premium SSD

"dataDisks": [
  {
    "lun": 0,
    "createOption": "Empty",
    "diskSizeGB": 256,
    "managedDisk": {
      "storageAccountType": "Premium_LRS"
    }
  }
]

Ultra Disk

"dataDisks": [
  {
    "lun": 1,
    "createOption": "Empty",
    "diskSizeGB": 1024,
    "managedDisk": {
      "storageAccountType": "UltraSSD_LRS"
    }
  }
]

---

5. Networking

NIC Configuration

{
  "type": "Microsoft.Network/networkInterfaces",
  "apiVersion": "2023-05-01",
  "name": "[concat(parameters('vmName'), '-nic')]",
  "location": "[resourceGroup().location]",
  "properties": {
    "ipConfigurations": [
      {
        "name": "ipconfig1",
        "properties": {
          "subnet": {
            "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', 'vnet', 'default')]"
          },
          "publicIPAddress": {
            "id": "[resourceId('Microsoft.Network/publicIPAddresses', concat(parameters('vmName'), '-pip'))]"
          }
        }
      }
    ]
  }
}

Accelerated Networking

"properties": {
  "enableAcceleratedNetworking": true
}

---

6. Public IP Options

{
  "type": "Microsoft.Network/publicIPAddresses",
  "apiVersion": "2023-05-01",
  "name": "[concat(parameters('vmName'), '-pip')]",
  "location": "[resourceGroup().location]",
  "sku": { "name": "Standard" },
  "properties": {
    "publicIPAllocationMethod": "Static"
  }
}

---

7. Boot Diagnostics

Managed Storage

"diagnosticsProfile": {
  "bootDiagnostics": {
    "enabled": true
  }
}

Storage Account

"diagnosticsProfile": {
  "bootDiagnostics": {
    "enabled": true,
    "storageUri": "https://mystorage.blob.core.windows.net/"
  }
}

---

8. Managed Identity

System Assigned

"identity": {
  "type": "SystemAssigned"
}

User Assigned

"identity": {
  "type": "UserAssigned",
  "userAssignedIdentities": {
    "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'myIdentity')]": {}
  }
}

---

9. VM Generation (Gen2)

"securityProfile": {
  "uefiSettings": {
    "secureBootEnabled": true,
    "vTpmEnabled": true
  }
}

---

10. Availability Options

Availability Set

"availabilitySet": {
  "id": "[resourceId('Microsoft.Compute/availabilitySets', 'myAvailSet')]"
}

Availability Zone

"zones": [ "1" ]

Proximity Placement Group

"proximityPlacementGroup": {
  "id": "[resourceId('Microsoft.Compute/proximityPlacementGroups', 'myPPG')]"
}

---

11. VM Extensions

Custom Script Extension

{
  "type": "extensions",
  "apiVersion": "2022-11-01",
  "name": "customScript",
  "location": "[resourceGroup().location]",
  "properties": {
    "publisher": "Microsoft.Compute",
    "type": "CustomScriptExtension",
    "typeHandlerVersion": "1.10",
    "settings": {
      "fileUris": [
        "https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/sample.ps1"
      ],
      "commandToExecute": "powershell.exe -ExecutionPolicy Unrestricted -File sample.ps1"
    }
  }
}

Domain Join Extension

{
  "type": "Microsoft.Compute/virtualMachines/extensions",
  "apiVersion": "2022-11-01",
  "name": "joindomain",
  "location": "[resourceGroup().location]",
  "properties": {
    "publisher": "Microsoft.Compute",
    "type": "JsonADDomainExtension",
    "typeHandlerVersion": "1.3",
    "settings": {
      "Name": "contoso.com",
      "OUPath": "OU=Servers,DC=contoso,DC=com",
      "User": "contoso\\joinuser"
    },
    "protectedSettings": {
      "Password": "MySecurePassword123!"
    }
  }
}

DSC Extension

{
  "type": "Microsoft.Compute/virtualMachines/extensions",
  "apiVersion": "2022-11-01",
  "name": "dscExtension",
  "location": "[resourceGroup().location]",
  "properties": {
    "publisher": "Microsoft.Powershell",
    "type": "DSC",
    "typeHandlerVersion": "2.83",
    "settings": {
      "configuration": {
        "url": "https://mystorage.blob.core.windows.net/dsc/MyConfig.ps1.zip",
        "script": "MyConfig.ps1",
        "function": "Main"
      }
    }
  }
}

---

12. Disk Encryption

SSE with CMK

"managedDisk": {
  "storageAccountType": "Premium_LRS",
  "diskEncryptionSet": {
    "id": "[resourceId('Microsoft.Compute/diskEncryptionSets', 'myDiskEncSet')]"
  }
}

Azure Disk Encryption (BitLocker)

{
  "type": "Microsoft.Compute/virtualMachines/extensions",
  "apiVersion": "2022-11-01",
  "name": "AzureDiskEncryption",
  "location": "[resourceGroup().location]",
  "properties": {
    "publisher": "Microsoft.Azure.Security",
    "type": "AzureDiskEncryption",
    "typeHandlerVersion": "2.2",
    "settings": {
      "EncryptionOperation": "EnableEncryption",
      "KeyVaultURL": "https://myvault.vault.azure.net/",
      "KeyVaultResourceId": "[resourceId('Microsoft.KeyVault/vaults', 'myvault')]",
      "KeyEncryptionKeyURL": "https://myvault.vault.azure.net/keys/mykey/1234567890"
    }
  }
}

---

13. Azure AD Login for Windows

{
  "type": "Microsoft.Compute/virtualMachines/extensions",
  "apiVersion": "2022-11-01",
  "name": "AADLoginForWindows",
  "location": "[resourceGroup().location]",
  "properties": {
    "publisher": "Microsoft.Azure.ActiveDirectory",
    "type": "AADLoginForWindows",
    "typeHandlerVersion": "1.0"
  }
}

---

14. Just-In-Time Access

{
  "type": "Microsoft.Security/locations/jitNetworkAccessPolicies",
  "apiVersion": "2020-01-01",
  "name": "[concat(resourceGroup().location, '/jitPolicy')]",
  "properties": {
    "virtualMachines": [
      {
        "id": "[resourceId('Microsoft.Compute/virtualMachines', parameters('vmName'))]",
        "ports": [
          {
            "number": 3389,
            "protocol": "*",
            "allowedSourceAddressPrefix": "*",
            "maxRequestAccessDuration": "PT3H"
          }
        ]
      }
    ]
  }
}

---

15. Defender for Cloud

{
  "type": "Microsoft.Security/pricings",
  "apiVersion": "2023-01-01",
  "name": "VirtualMachines",
  "properties": {
    "pricingTier": "Standard"
  }
}

---

16. Load Balancer Integration

"loadBalancerBackendAddressPools": [
  {
    "id": "[resourceId('Microsoft.Network/loadBalancers/backendAddressPools', 'vm-lb', 'BackendPool')]"
  }
]

---

17. Private Endpoint

{
  "type": "Microsoft.Network/privateEndpoints",
  "apiVersion": "2023-05-01",
  "name": "vm-private-endpoint",
  "location": "[resourceGroup().location]",
  "properties": {
    "subnet": {
      "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', 'vnet', 'private')]"
    },
    "privateLinkServiceConnections": [
      {
        "name": "vm-connection",
        "properties": {
          "privateLinkServiceId": "[resourceId('Microsoft.Compute/virtualMachines', parameters('vmName'))]",
          "groupIds": [ "nic" ]
        }
      }
    ]
  }
}

---

18. Auto-Shutdown

{
  "type": "Microsoft.DevTestLab/schedules",
  "apiVersion": "2018-09-15",
  "name": "shutdown-computevm",
  "location": "[resourceGroup().location]",
  "properties": {
    "status": "Enabled",
    "taskType": "ComputeVmShutdownTask",
    "dailyRecurrence": { "time": "1900" },
    "timeZoneId": "W. Europe Standard Time",
    "targetResourceId": "[resourceId('Microsoft.Compute/virtualMachines', parameters('vmName'))]"
  }
}

---

19. Spot VM

"priority": "Spot",
"evictionPolicy": "Deallocate",
"billingProfile": {
  "maxPrice": -1
}

---

20. Azure Hybrid Benefit

"licenseType": "Windows_Server"

---

21. Dedicated Host

"host": {
  "id": "[resourceId('Microsoft.Compute/hosts', 'myHostGroup', 'myHost')]"
}

---

22. Backup

{
  "type": "Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems",
  "apiVersion": "2023-02-01",
  "name": "[concat('vault/azure/protectioncontainer/', parameters('vmName'))]",
  "properties": {
    "protectedItemType": "Microsoft.Compute/virtualMachines",
    "policyId": "[resourceId('Microsoft.RecoveryServices/vaults/backupPolicies', 'vault', 'DefaultPolicy')]"
  }
}

---

23. Update Management

{
  "type": "Microsoft.Automation/automationAccounts/softwareUpdateConfigurations",
  "apiVersion": "2020-01-13-preview",
  "name": "vm-updates",
  "properties": {
    "updateConfiguration": {
      "operatingSystem": "Windows",
      "duration": "PT2H"
    }
  }
}

---

24. Azure Compute Gallery

"imageReference": {
  "id": "[resourceId('Microsoft.Compute/galleries/images/versions', 'myGallery', 'myImage', '1.0.0')]"
}

---

25. VM Scale Sets (VMSS)

{
  "type": "Microsoft.Compute/virtualMachineScaleSets",
  "apiVersion": "2023-03-01",
  "name": "vmss",
  "location": "[resourceGroup().location]",
  "sku": {
    "name": "D4s_v5",
    "capacity": 2
  }
}

---

26. WinRM Configuration

"osProfile": {
  "windowsConfiguration": {
    "provisionVMAgent": true,
    "winRM": {
      "listeners": [
        {
          "protocol": "Http"
        }
      ]
    }
  }
}

---

27. Guest Configuration Policies

{
  "type": "Microsoft.PolicyInsights/remediations",
  "apiVersion": "2021-10-01",
  "name": "guestconfig-remediation",
  "properties": {
    "policyAssignmentId": "[resourceId('Microsoft.Authorization/policyAssignments', 'guestConfigAssignment')]"
  }
}

---

28. Trusted Launch (Secure Boot, vTPM, Integrity Monitoring)

Trusted Launch protects against firmware-level attacks and rootkits.

Enable Trusted Launch

"securityProfile": {
  "securityType": "TrustedLaunch",
  "uefiSettings": {
    "secureBootEnabled": true,
    "vTpmEnabled": true
  }
}

Enable Integrity Monitoring

{
  "type": "Microsoft.Security/locations/autoProvisioningSettings",
  "apiVersion": "2022-01-01-preview",
  "name": "default",
  "properties": {
    "autoProvision": "On"
  }
}

---

29. Confidential Computing (AMD SEV‑SNP / Intel TDX)

Enable Confidential VM Mode

"securityProfile": {
  "securityType": "ConfidentialVM",
  "uefiSettings": {
    "secureBootEnabled": true,
    "vTpmEnabled": true
  }
}

Confidential Disk Encryption

"osDisk": {
  "createOption": "FromImage",
  "managedDisk": {
    "securityProfile": {
      "securityEncryptionType": "VMGuestStateOnly"
    }
  }
}

---

30. Additional Security Hardening Settings

Patch Orchestration

"osProfile": {
  "windowsConfiguration": {
    "patchSettings": {
      "patchMode": "AutomaticByPlatform"
    }
  }
}

Host Firewall Enforcement

{
  "type": "Microsoft.Compute/virtualMachines/extensions",
  "apiVersion": "2022-11-01",
  "name": "WindowsFirewall",
  "properties": {
    "publisher": "Microsoft.Compute",
    "type": "CustomScriptExtension",
    "typeHandlerVersion": "1.10",
    "settings": {
      "commandToExecute": "powershell.exe -Command \"Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True\""
    }
  }
}

---

31. Resource Locks (CanNotDelete & ReadOnly)

Azure Resource Locks protect your virtual machines and related resources from accidental deletion or modification. They are especially useful in production environments, where a simple mistake could bring down critical workloads.
Azure supports two lock types CanNotDelete and ReadOnly

Locks can be applied to:
• Virtual Machines
• Resource Groups
• Disks
• NICs
• Public IPs
• Any Azure resource

Add a CanNotDelete Lock to a VM

{
“type”: “Microsoft.Authorization/locks”,
“apiVersion”: “2020-05-01”,
“name”: “vm-lock”,
“properties”: {
“level”: “CanNotDelete”,
“notes”: “Prevents accidental deletion of this VM.”
}
}

Add a Lock to a Disk (recommended for production)

{
“type”: “Microsoft.Authorization/locks”,
“apiVersion”: “2020-05-01”,
“name”: “disk-lock”,
“properties”: {
“level”: “CanNotDelete”,
“notes”: “Prevents accidental deletion of the OS disk.”
},
“scope”: “[resourceId(‘Microsoft.Compute/disks’, concat(parameters(‘vmName’), ‘-osdisk’))]”
}

Final Thoughts

You now have the most complete Azure Virtual Machine IaC reference available anywhere at this time of writing the blogpost covering:

Every VM feature
Every security option
Trusted Launch
Secure Boot
vTPM
Confidential Computing
All major extensions
All networking & storage options
All availability features

Here you find more information on Microsoft docs with examples

Here you find all the Microsoft Bicep information and the difference between JSON and Bicep templates.

Here you find Microsoft Azure Virtual Machine Baseline Architecture

---

Are all the JSON examples fully functional and tested in Azure?

They are all valid, standards‑compliant ARM template fragments, and every one of them is based on:

• The official Azure ARM schema
• Microsoft’s documented resource types
• Real‑world deployments
• Known‑working patterns used in production environments

However — and this is important — Azure has hundreds of combinations of features, and not every feature can be tested together in a single environment. So here’s the breakdown:

---

Fully functional & deployable as‑is

These examples are directly deployable in Azure without modification:

• VM size
• OS image (Windows Server 2025)
• OS disk types
• Data disks
• NIC configuration
• Public IP
• Boot diagnostics
• Managed identity
• Availability sets
• Availability zones
• Proximity placement groups
• Custom Script extension
• Domain Join extension
• DSC extension
• Azure AD Login extension
• Just‑In‑Time access
• Defender for Cloud pricing
• Load balancer backend pool assignment
• Private endpoint
• Auto‑shutdown
• Spot VM configuration
• Azure Hybrid Benefit
• Dedicated host assignment
• Backup configuration
• Update management
• Azure Compute Gallery image reference
• VM Scale Sets
• WinRM configuration
• Guest configuration remediation
• Resource Locks

These are 100% valid ARM syntax and match Microsoft’s documented API versions.

---

Fully valid, but require environment‑specific resources

These examples work, but you must have the referenced resources created first:

Disk Encryption Set (CMK)

"diskEncryptionSet": {
  "id": "[resourceId('Microsoft.Compute/diskEncryptionSets', 'myDiskEncSet')]"
}

Requires a Disk Encryption Set + Key Vault.

Backup

Requires a Recovery Services Vault + Backup Policy.

Domain Join

Requires a reachable domain controller + correct credentials.

Private Endpoint

Requires a Private Link Service target.

Update Management

Requires an Automation Account.

These are still fully functional, but they depend on your environment.

---

Trusted Launch & Confidential Computing

These are valid ARM configurations, but:

• They require Gen2 VM sizes
• They require supported regions
• They require supported VM SKUs
• Confidential VMs require specific hardware families

The JSON is correct, but Azure enforces compatibility rules.

For example:

"securityProfile": {
  "securityType": "TrustedLaunch",
  "uefiSettings": {
    "secureBootEnabled": true,
    "vTpmEnabled": true
  }
}

This works only on Gen2 VMs.

And:

"securityType": "ConfidentialVM"

Works only on:

• DCasv5
• ECasv5
• DCesv5
• ECesv5

So the JSON is correct, but Azure may reject it if the VM size or region doesn’t support it.

---

Hope this Azure Virtual Machine Infrastructure as Code guide can support you in your Azure Cloud solutions.

All the Microsoft Azure Virtual Machine features and options today.

Azure Local Cluster on‑site working in tandem with Azure Cloud, running Dockerized AI workloads at the edge — is not just viable. It’s exactly the direction modern distributed AI systems are heading.

Let me unpack how these pieces fit together and why the architecture is so compelling.

Azure Local Baseline reference Architecture

A powerful hybrid model for real‑world AI

Think of this setup as a two‑layer AI fabric:

• Layer 1: On‑site Azure Local Cluster
  Handles real‑time inference, local decision‑making, and data preprocessing.
  This is where Docker containers shine: predictable, isolated, versioned workloads running close to the data source.
• Layer 2: Azure Cloud
  Handles heavy lifting: model training, analytics, fleet management, OTA updates, and long‑term storage.

Together, they create a system that is fast, resilient, secure, and scalable

Why this architecture works so well

1. Ultra‑low latency inference

Your on‑site Azure Local Cluster can run Dockerized AI models directly on edge hardware (Jetson, x86, ARM).
This eliminates cloud round‑trips for:

• object detection
• anomaly detection
• robotics control
• industrial automation

Azure Local provides the core platform for hosting and managing virtualized and containerized workloads on-premises or at the edge.

2. Seamless model lifecycle management

Azure Cloud can:

• train new models
• validate them
• push them as Docker images
• orchestrate rollouts to thousands of edge nodes

Your local cluster simply pulls the new container and swaps it in.
This is exactly the “atomic update” pattern from the blogpost.

3. Strong separation of concerns

Local cluster = deterministic, real‑time execution
Cloud = dynamic, scalable intelligence

This separation avoids the classic problem of trying to run everything everywhere.

4. Enterprise‑grade security

Azure Arc, IoT Edge, and Container Registry gives you:

• signed images
• policy‑based deployments
• identity‑bound devices
• encrypted communication

This is critical when edge devices live in factories, stores, or public spaces.

5. Cloud‑assisted intelligence

Even though inference happens locally, the cloud can still:

• aggregate telemetry
• retrain models
• detect drift
• optimize pipelines
• coordinate multi‑site deployments

This is how AI systems improve over time. 

How Docker fits into this hybrid world

Docker becomes the unit of deployment across both environments for DevOps and developers.

On the edge:

• lightweight images
• Hardened images
• GPU‑enabled containers
• read‑only root filesystems
• offline‑capable workloads

In the cloud:

• CI/CD pipelines
• model registries
• automated scanning
• versioned releases

The same container image runs in both places — but with different responsibilities.

My take: This is one of the strongest architectures for real‑world AI

If your goal is:

• real‑time AI
• high reliability
• centralized control
• scalable deployments
• secure operations
• hybrid cloud + edge synergy

…then Azure Local Cluster + Azure Cloud + Docker AI Edge is a near‑ideal solution.

It gives you the best of both worlds:
cloud intelligence + edge autonomy.

Here you find more about Microsoft Azure Local 

Here you find more blogposts about Docker, Windows Server 2025, and Azure Cloud Services :

Windows Server 2025 Core and Docker – A Modern Container Host Architecture

Docker Desktop Container Images and Azure Cloud App Services

Windows Admin Center Secured-core server view

The latest Windows Admin Center (WAC) release, version 2511 (November 2025, public preview), introduces refreshed management tools and deeper integration with modern Windows security features like Secure Boot, TPM 2.0, Kernel DMA Protection, Virtualization‑based Security (VBS), and OSConfig baselines for Windows Server.

Secured-core is a collection of capabilities that offers built-in hardware, firmware, driver and operating system security features. The protection provided by Secured-core systems begins before the operating system boots and continues whilst running. Secured-core server is designed to deliver a secure platform for critical data and applications.

Secured-core server is built on three key security pillars:

• Creating a hardware backed root of trust.
• Defense against firmware level attacks.
• Protecting the OS from the execution of unverified code.

Windows Admin Center 2511: Security Meets Modern Management

Windows Admin Center has steadily evolved into the preferred management platform for Windows Server and hybrid environments. With the 2511 build now in public preview, Microsoft continues to refine the experience for IT administrators, blending usability improvements with defense‑in‑depth security Microsoft Community.

 Security Features at the Core

What makes this release stand out is how WAC aligns with the latest Windows security stack. Let’s break down the highlights:

• OSConfig Security Baselines
  WAC now integrates baseline enforcement, ensuring servers adhere to CIS Benchmarks and DISA STIGs. Drift control automatically remediates deviations, keeping configurations locked to secure defaults. ( I like this one!)
• Hardware‑based Root of Trust
  Through TPM 2.0 and System Guard, WAC can validate boot integrity. This means admins can remotely attest that servers started securely, free from tampering.
• Kernel DMA Protection
  Thunderbolt and USB4 devices are notorious vectors for DMA attacks. WAC surfaces configuration and compliance checks, ensuring IOMMU‑based protection is active.
• Secure Boot Management
  OEM Secure Boot policies are visible and manageable, giving admins confidence that only signed, trusted firmware and drivers load during startup.
• Virtualization‑based Security (VBS)
  WAC exposes controls for enabling VBS and Memory Integrity (HVCI). These features isolate sensitive processes in a hypervisor‑protected environment, blocking unsigned drivers and kernel exploits.

Windows Server security baseline not yet implemented as you can see

 What’s New in Build 2511

Beyond security, version 2511 delivers refinements to the virtual machines tool, installer improvements, and bug fixes. Combined with the backend upgrade to .NET 8 in the earlier 2410 GA release, WAC is faster, more reliable, and better equipped for enterprise workloads.

Why It Matters

In today’s hybrid IT landscape, security and manageability must coexist. Windows Admin Center 2511 demonstrates Microsoft’s commitment to:

• Unified management: One pane of glass for servers, clusters, and Azure Arc‑connected resources.
• Compliance assurance: Built‑in baselines reduce audit headaches.
• Future‑proof security: Hardware‑rooted trust and virtualization‑based isolation protect against evolving threats.

Final Thoughts

If you’re an IT admin preparing for Windows Server 2025 deployments, the new Windows Admin Center build is more than just a management tool—it’s a security enabler. By weaving in Secure Boot, TPM, DMA protection, and VBS, WAC ensures that your infrastructure isn’t just easier to manage, but fundamentally harder to compromise.

Here you find the Microsoft docs :

What is Secured-core server for Windows Server | Microsoft Learn

OSConfig overview for Windows Server | Microsoft Learn

How System Guard helps protect Windows | Microsoft Learn

Kernel DMA Protection | Microsoft Learn

Secure boot | Microsoft Learn

Trusted Plaform Module (TPM) 2.0 | Microsoft Learn

Virtualization-based Security (VBS) | Microsoft Learn

Enable memory integrity | Microsoft Learn

What is Windows Admin Center Virtualization Mode (Preview)?

Windows Admin Center Virtualization Mode is a purpose-built management experience for virtualization infrastructure. It enables IT professionals to centrally administer Hyper-V hosts, clusters, storage, and networking at scale.

Unlike administration mode, which focuses on general system management, Virtualization Mode focuses on fabric management. It supports parallel operations and contextual views for compute, storage, and network resources. This mode is optimized for large-scale, cluster-based environments and integrates lifecycle management, global search, and role-based access control.

Virtualization Mode offers the following key capabilities:

• Search across navigation objects with contextual filtering.
• Support for SAN, NAS, hyperconverged, and scale-out file server architectures.
• VM templates, integrated disaster recovery with Hyper-V Replica, and onboarding of Arc-enabled resources (future capability).
• Software-defined storage and networking (not available at this time).

Install Windows Admin Center Virtualization Mode

Test all these New features of Windows Admin Center and Windows Server in your test environment and be ready for production when it becomes general available. Download Windows Admin Center 2511 Preview here

Docker Desktop and Azure App Cloud Services

Expanded Architecture: Docker developer environment with Azure Cloud Services.

Development Environment

• Docker Desktop + Tools: Visual Studio Code, Azure CLI, Docker Scout, AI, MCP
• Docker Scout CLI: Compares image versions, detects CVEs, integrates with pipelines

Container Host (Windows Server 2025 Core)

• Hyper-V Isolated Containers: For enhanced security
• Workloads: Microservices, legacy apps, AI containers
• GitOps Operator: Automated deployment via Git repositories
• Azure Arc Agent: Connects on-prem host to Azure Control Plane

Here you find more information about Docker on Windows Server 2025 Core

Your Windows 11 Laptop with Docker Desktop

• Hyper-V / WSL2: for your containers development
• Azure Arc Agent: for your Azure Cloud Services and security
• Docker Desktop for Windows installed

Azure Cloud Integrations

Component	Function
Azure App Service (Docker)	Hosts web apps as Docker containers with autoscaling and Key Vault integration
Azure DevOps + Pipelines	CI/CD for image build, scan, push, and deployment
Azure Copilot Security	AI-driven security recommendations and policy analysis
Azure Container Registry (ACR)	Secure storage and distribution of container images
Azure Key Vault	Secrets management: API keys, passwords, certificates
Microsoft Defender for Cloud	Runtime protection, image scanning, threat detection
Azure Policy & RBAC	Governance and access control
Azure Monitor + Sentinel	Logging, metrics, threat detection
Azure Update Manager	Hotpatching of Windows and container images without reboot

More information on Strengthening Container Security with Docker Hardened Images and Azure Container Registry

DevSecOps Workflow

1. Build & Harden Image → Dockerfile + SBOM
2. Scan with Docker Scout → CLI or pipeline
3. Push to ACR → With signing and RBAC
4. Deploy via Azure DevOps Pipelines → App Service or Arc-enabled host
5. Inject Secrets via Key Vault → Automatically at runtime
6. Monitor & Patch → Azure Monitor + Update Manager
7. Audit & Alerting → Azure Sentinel + Defender
8. Security Guidance → Copilot Security analyzes policies and offers recommendations

Example of Deploying a custom container to Azure App Service with Azure Pipelines

Microsoft Azure App Service is really scalable for Docker App Solutions:

Azure App Service is designed to scale effortlessly with your application’s needs. Whether you’re hosting a simple web app or a complex containerized microservice, it offers both vertical scaling (upgrading resources like CPU and memory) and horizontal scaling (adding more instances). With built-in autoscaling, you can respond dynamically to traffic spikes, scheduled workloads, or performance thresholds—without manual intervention or downtime.

From small startups to enterprise-grade deployments, App Service adapts to demand with precision, making it a reliable platform for modern, cloud-native applications.

Scale Up Features and Capacities Learn how to increase CPU, memory, and disk space by changing the pricing tier

Enable Automatic Scaling (Scale Out) Configure autoscaling based on traffic, schedules, or resource metrics

Per-App Scaling for High-Density Hosting Scale individual apps independently within the same App Service Plan

Conclusion

For modern developers, the combination of Azure App Services and Docker Desktop offers a powerful, flexible, and scalable foundation for building, testing, and deploying cloud-native applications.

• Developers can build locally with Docker, ensuring consistency and portability.
• Then deploy seamlessly to Azure App Services, leveraging its cloud scalability and integration.
• This workflow reduces configuration drift, accelerates testing cycles, and improves team collaboration.

As businesses race toward cloud-native infrastructure and microservices, Windows Server 2025 Core emerges as a lean, powerful platform for hosting Docker containers. With its minimal footprint and robust security posture, Server Core paired with Docker offers a compelling solution for modern application deployment.

Architecture Design: Windows Server Core + Docker

Windows Server 2025 Core is a headless, GUI-less version of Windows Server designed for performance and security. When used as a Docker container host, it provides:

• Lightweight OS footprint: Reduces attack surface and resource consumption.
• Hyper-V isolation: Enables secure container execution with kernel-level separation.
• Support for Nano Server and Server Core images: Ideal for running Windows-based microservices.
• Integration with Azure Kubernetes Service (AKS): Seamless orchestration in hybrid environments.

Key Components

Component	Role in Architecture
Windows Server 2025 Core	Host OS with minimal services
Docker Engine	Container runtime for managing containers
Hyper-V	Optional isolation layer for enhanced security
PowerShell / CLI Tools	Management and automation
Windows Admin Center	GUI-based remote management

Installation Guide

Setting up Docker on Windows Server 2025 Core is straightforward but requires precision. Here’s a simplified walkthrough:

Windows Server 2025 Datacenter Core running

1. Install Required Features

Use PowerShell to install Hyper-V and Containers features:

Install-WindowsFeature -Name Hyper-V, Containers -IncludeManagementTools -Restart

2. Install Docker

Download and install Docker from the official source or use the PowerShell script provided by Microsoft:

Invoke-WebRequest “https://download.docker.com/win/static/stable/x86_64/docker-28.4.0.zip” -OutFile “docker.zip”

Unzip and configure Docker as a service:

at Docker directory to your path

Add the Docker config directory

Set the daemon

Create the Docker Service

net start docker

docker version

Docker Host on Windows Server 2025 Core is Installed

3. Configure Networking

Ensure proper NAT or transparent networking for container communication.

4. Pull Base Images

Use Docker CLI to pull Windows container images:

docker pull mcr.microsoft.com/windows/servercore:ltsc2025

5. Test Deployment

Run a sample Windows Server 2025 core container:

docker run -it mcr.microsoft.com/windows/servercore:ltsc2025

Inside the Windows Server 2025 Core Container on the Docker host.

Best Practices

To maximize reliability, security, and scalability:

• Use Hyper-V isolation for sensitive workloads.
• Automate deployments with PowerShell scripts or CI/CD pipelines.
• Keep base images updated to patch vulnerabilities.
• Monitor containers using Azure Arc monitoring or Windows Admin Center.
• Limit container privileges and avoid running as Administrator.
• Use volume mounts for persistent data storage.

Conclusion: Why It Matters

For developers, Windows Server 2025 Core with Docker offers:

• Fast iteration cycles with isolated environments.
• Consistent dev-to-prod workflows using container images.
• Improved security with minimal OS footprint and Hyper-V isolation.

For businesses, the benefits are even broader:

• Reduced infrastructure costs via efficient resource usage.
• Simplified legacy modernization by containerizing Windows apps.
• Hybrid cloud readiness with Azure integration and Kubernetes support.
• Scalable architecture for microservices and distributed systems.

Windows Server 2025 Core isn’t just a server OS—it’s a launchpad for modern, secure, and scalable containerized applications. Whether you’re a developer building the next big thing or a business optimizing legacy systems, this combo is worth the investment.

Integrating Azure Arc into the Windows Server 2025 Core + Docker Architecture for Adaptive Cloud

Overview

Microsoft Azure Arc extends Azure’s control plane to your on-premises Windows Server 2025 Core container hosts. By onboarding your Server Core machines as Azure Arc–enabled servers, you gain unified policy enforcement, monitoring, update management, and GitOps-driven configurations—all while keeping workloads close to the data and users.

Architecture Extension

• Azure Connected Machine Agent
  Installs on Windows Server 2025 Core as a Feature on Demand, creating an Azure resource that represents your physical or virtual machine in the Azure portal.
• Control Plane Integration
  Onboarded servers appear in Azure Resource Manager (ARM), letting you apply Azure Policy, role-based access control (RBAC), and tag-based cost tracking.
• Hybrid Monitoring & Telemetry
  Azure Monitor collects logs and metrics from Docker Engine, container workloads, and host-level performance counters—streamlined into your existing Log Analytics workspaces.
• Update Management & Hotpatching
  Leverage Azure Update Manager to schedule Windows and container image patches. Critical fixes can even be applied via hotpatching on Arc-enabled machines without a reboot.
• GitOps & Configuration as Code
  Use Azure Arc–enabled Kubernetes to deploy container workloads via Git repositories, or apply Desired State Configuration (DSC) policies to Server Core itself.

Adaptive Cloud Features Enabled

• Centralized Compliance
  Apply Azure Policies to enforce security baselines across every Docker host, ensuring drift-free configurations.
• Dynamic Scaling
  Trigger Azure Automation runbooks or Logic Apps when performance thresholds are breached, auto-provisioning new container hosts.
• Unified Security Posture
  Feed security alerts from Microsoft Defender for Cloud into Azure Sentinel, correlating threats across on-prem and cloud.
• Hybrid Kubernetes Orchestration
  Extend AKS clusters to run on Arc-connected servers, enabling consistent deployment pipelines whether containers live on Azure or in your datacenter.

More information about Innovate on an Adaptive Cloud here

Integration Walkthrough

1. Prepare your Server Core host (ensure Hyper-V, Containers, and Azure Arc Feature on Demand are installed).
2. Install Azure Arc agent via Azure PowerShell
3. In the Azure portal, navigate to Azure Arc > Servers, and verify your machine is onboarded.
4. Enable Azure Policy assignments, connect to a Log Analytics workspace, and turn on Update Management.
5. (Optional) Deploy the Azure Arc GitOps operator for containerized workloads across hybrid clusters.

Visualizing Azure Arc in Your Diagram

Above your existing isometric architecture, add a floating “Azure Cloud Control Plane” layer that includes:

• ARM with Policy assignments
• Azure Monitor / Log Analytics
• Update Manager + Hotpatch service
• GitOps repo integrations

Draw data and policy-enforcement arrows from this Azure layer down to your Windows Server Core “building,” Docker cube, container workloads, and Hyper-V racks—demonstrating end-to-end adaptive management.

Why It Matters

Integrating Azure Arc transforms your static container host into an adaptive cloud-ready node. You’ll achieve:

• Consistent governance across on-prem and cloud
• Automated maintenance with zero-downtime patching
• Policy-driven security at scale
• Simplified hybrid Kubernetes and container lifecycle management

With Azure Arc, your Windows Server 2025 Core and Docker container hosts become full citizens of the Azure ecosystem—securing, monitoring, and scaling your workloads wherever they run.

Better Together

 

Updating Windows Server Insider Preview Build to version 26461.1001

On August 7, 2025, Microsoft dropped a fresh Insider Preview build for Windows Server vNext—Build 26461—and it’s packed with innovations aimed at enterprise resilience, storage performance, and hybrid cloud readiness. Whether you’re a datacenter architect or a curious sysadmin, this build offers a glimpse into the future of Windows Server 2025.

Rack Level Nested Mirror (RLNM) for S2D Campus Cluster

One of the headline features is Rack Level Nested Mirror (RLNM) for Storage Spaces Direct (S2D) Campus Clusters. This enhancement is designed to meet NIS2 compliance for multi-room data redundancy in industrial environments.

Key capabilities:

• Enables fast and resilient storage across multiple racks or rooms.
• Supports all-flash storage (SSD/NVMe) with RDMA NICs (iWARP, RoCE, InfiniBand).
• Requires defining rack fault domains during cluster setup.
• Supports four-copy volumes with both fixed and thin provisioning.

This is a game-changer for factories and enterprises needing high availability across physical fault domains.

Under the Hood: Germanium Codebase

Build 26461 is based on the Germanium codebase, aligning with the broader Windows 11 ecosystem. It supports both AMD64 and ARM64 architectures and was compiled on July 31, 2025.

Final Thoughts

Windows Server vNext Build 26461 is more than just a preview—it’s a blueprint for the next generation of enterprise-grade infrastructure. With RLNM, expanded deployment options, and tighter integration with Azure, Microsoft is clearly doubling down on hybrid cloud and high-availability scenarios.

You can explore the full announcement on Microsoft’s Community Hub. Enjoy your testing

 

Microsoft Azure Storage Explorer version 1.39.1

Microsoft Azure Storage Explorer is a free, standalone application that streamlines how Azure Administrators interact with storage accounts. Whether you’re managing blobs, file shares, queues, or tables, this versatile tool brings consistency, speed, and clarity to every operation—far beyond what the Azure portal alone can provide.

Why Azure Storage Explorer Matters

Managing storage through the Azure portal is intuitive, but for heavy-duty or repetitive tasks, it falls short:

• Manual clicks become tedious when transferring hundreds of files.
• The web UI can feel sluggish on large containers.
• Scripting small tasks often requires context switching between CLI and portal.

Azure Storage Explorer fills these gaps by offering:

• A desktop client optimized for high-throughput transfers.
• A unified interface for all storage types.
• Built-in support for SAS tokens, Azure Active Directory, and emulator endpoints.

These capabilities translate into faster workflows and fewer mistakes.

Key Features and Advantages

• Unified Storage View across Blob Containers, File Shares, Queues, and Tables.
• High-Performance Data Transfers with parallel upload/download threads, drag-and-drop, and pause/resume support.
• Fine-Grained Access Control via Azure AD, service principals, or SAS tokens.
• Local Dev/Test Integration with Azurite and the legacy Storage Emulator.

Security and Compliance

Azure Storage Explorer adheres to Azure’s stringent security standards, ensuring your data remains protected at every stage:

• Data Encryption
  • All data in transit is secured via HTTPS/TLS.
  • Data at rest uses Azure Storage Service Encryption (AES-256).
• Authentication and Authorization
  • Native Azure Active Directory (AAD) integration for RBAC.
  • Support for service principals, managed identities, and SAS tokens.
  • Option to connect with access keys when needed.
• Network Security
  • Compatible with private endpoints to restrict traffic to your Virtual Network.
  • Honors storage account firewall rules and trusted Microsoft services only.
• Audit Logging and Monitoring
  • Leverage Azure Monitor’s diagnostic settings to capture Storage Explorer activity.
  • Integrate with Azure Sentinel or third-party SIEM tools for real-time alerts.
• Compliance Certifications
  • Inherits Azure Storage’s compliance portfolio, including ISO, SOC, GDPR, and HIPAA standards.

Quick Comparison: Portal vs. Storage Explorer

Capability	Azure Portal	Azure Storage Explorer
Bulk Upload/Download	Limited parallelism, manual UI	High-performance parallelism
Authentication Methods	Primarily Azure AD	Azure AD, SAS, connection strings, emulator
Local Emulator Support	Requires separate installation	Native support for Azurite and emulator
CLI/Scripting Integration	CLI or PowerShell separately	Built-in scripting via PowerShell snippets
Cross-Subscription Browsing	Tab per subscription	All subscriptions in one pane

Real-World Scenarios

1. Disaster Recovery Testing
   Quickly seed a secondary storage account from backups stored in local Azurite for non-production failover drills.
2. Mass Data Migration
   Move terabytes of logs or media assets between subscriptions without crafting custom AzCopy scripts.
3. Role-Based Troubleshooting
   Verify user permissions by connecting under different service principals, then audit and correct access policies on the fly.

Getting Started in Minutes

1. Download & Install
   Grab the latest MSI/DMG from Microsoft’s official download page.
2. Connect Your Account
   • Choose Azure AD for seamless single sign-on.
   • Or paste a SAS URL for granular, time-limited access.
3. Explore & Operate
   • Expand subscriptions and storage accounts in the left pane.
   • Drag files into blob containers or right-click tables to run C# or PowerShell snippets.
4. Automate Common Tasks
   • Record frequent operations as scripts.
   • Export and share connection profiles with your team for consistent setups.

Here you see the simple installation steps of Azure Storage Explorer:

Download Microsoft Azure Storage Explorer

Right click the file and run as Administrator.

This is for me only, so I clicked on Install for me only

Accept the agreement and click on Install

An old installation was detected on my machine, Setup will uninstall it before continuing.
Click on Next

Select your folder or keep it default and click on Next

Click on Next
When you don’t want a start Menu Folder mark the box on the left.

Click on Finish

Microsoft Azure storage Explorer.

Sign in with your Azure Account.

Select your Azure Environment and click on Next

Microsoft Azure Storage Explorer connected with your Azure Subscription.

 

Tips & Best Practices

• Use AzCopy integration for scripting large-scale migrations and include –recursive for deep folder copies.
• Leverage table filtering to preview query results before exporting datasets.
• Keep your Storage Explorer version up to date—the team delivers monthly enhancements and bug fixes.
• Store connection profiles in source control (encrypted) so every teammate uses the exact same environment.

Conclusion

Azure Storage Explorer transforms tedious, repetitive storage tasks into a seamless, high-speed experience. For any Azure Administrator juggling blobs, files, queues, or tables, it’s the go-to tool to boost productivity, ensure security, and tame your data sprawl.

Next Steps

• Download Azure Storage Explorer and connect a demo subscription today.
• Explore built-in script samples to automate your top five storage tasks.
• Join the Azure Storage community on GitHub to suggest features or report issues.

More information about Azure Storage Explorer on Microsoft Learn

Dear Community Members, Friends, and Colleagues,

As I mark my 15th anniversary in the Microsoft MVP program, I’m filled with immense gratitude, humility, and pride. What began as a passion for sharing knowledge and building connections has blossomed into a deeply rewarding journey—one shaped by innovation, collaboration, and the extraordinary people who make this community thrive.

Over these 15 years, I’ve had the privilege to learn from brilliant minds, contribute to inspiring projects, and witness the transformative power of technology firsthand. Whether through speaking engagements, blog posts, mentoring, or hands-on technical work, being part of the MVP program has continually deepened my commitment to empowering others and fostering open, inclusive collaboration.

To the community: thank you for challenging, supporting, and celebrating with me. Your curiosity, creativity, and kindness are what keep this ecosystem alive and forward-looking.

To Microsoft: thank you for the honor and trust. The MVP program is a unique platform that amplifies voices, nurtures growth, and builds bridges—not just between developers and users, but between ideas and action.

While this milestone is a moment to reflect, it’s also a reminder that there’s always more to explore, create, and share. I look forward to continuing this journey together—with the same spark, but even greater purpose.

With heartfelt appreciation,
James

Here are some photos with Awesome people that I have met during these years:

Here you see Vijay Tewari in the middle who nominated me for the first time
Damian Flynn on the left and me on the right are Microsoft MVPs for Virtual Machine Manager (VMM)
at that time in 2011.

Here you see Tina Stenderup-Larsen in the middle, she is amazing! A Great Microsoft Community Program Manager
supporting all the MVPs in the Nordics & Benelux doing an Awesome Job!
On the right is Robert Smit a Great Dutch MVP and friend.

Mister OMS alias Scripting Guy Ed Wilson.

When there is a Microsoft Windows Server event, there is Jeff Woolsey 
“The three Musketeers”

Meeting Brad Anderson, he had great lunch breaks interviews in his car
with Awesome people.

The Azure Stack Guys on the 25th MVP Global Summit

Mister PowerShell Jeffrey Snover at the MVP Summit having fun

Scott Guthrie meeting him at the Red Shirt Tour in Amsterdam.

Great to meet Yuri Diogenes in 2018 with his book Azure Security Center.
I know him from the early days with Microsoft Security, like ISA Server

Mister Azure, CTO Mark Russinovich meeting at the MVP Global Summit in Redmond.
a Great Technical Fellow with Awesome Azure Adaptive Cloud Solution Talks!

Mister DevOps himself Donovan Brown in Amsterdam for DevOps Days

My friend Rick Claus Mister MS Ignite.

Mister Azure Corey Sanders at the MVP Summit.

Mister Channel 9, MSIgnite, AI Specialist Seth Juarez
He is a funny guy.

Meeting Scott Hanselman in the Netherlands together with MVP Andre van den Berg.
Scott is Awesome in developer innovations and technologies.
Following Azure Friday from the beginning.

Windows Insider friends for ever meeting Scott Hanselman.
With on the left MVP Erik Moreau.

Windows Insiders for Ever
Here together with Dona Sarkar here in the Netherlands

Windows Insider Friends having fun with Ugly Sweater meeting.
On the right my friend Maison da Silva and on the upper right Erik Moreau and Andre van den Berg.
Friends for Life

Microsoft Global MVP 15 Years Award disc is in the House
on Monday the 14th of July 2025.

Thank you All

Windows Server 2025 Insider Preview Build 26433 Datacenter Edition

In a digital era where agility, security, and resilience define success, enterprises are constantly seeking ways to future-proof their IT infrastructure. Enter the Windows Server Insider Program — a gateway into the future of Windows Server, offering IT professionals and enterprise architects a unique head-start in shaping and testing tomorrow’s server technologies.

What Is the Windows Server Insider Program?

At its core, the Windows Server Insider Program is Microsoft’s early-access platform for organizations and individuals eager to test pre-release versions of Windows Server. It allows IT departments to explore upcoming features, evaluate improvements, and provide feedback well before general availability — all while aligning their roadmap with Microsoft’s evolving ecosystem.

Strategic Benefits for Enterprise Businesses

1. Early Access to Innovation

Being the first to test new builds offers a strategic advantage. Enterprises can evaluate enhancements such as improved virtualization support, deeper integration with Azure services, and security updates, giving them ample lead time to plan deployments and migrations.

2. Security Readiness

With constantly evolving cybersecurity threats, security must be proactive, not reactive. Insider builds often preview cutting-edge security features, like Just-in-Time administration and advanced auditing, enabling security teams to assess and incorporate them into enterprise policies early on.

3. Operational Efficiency through Feedback

Insiders are encouraged to report issues, suggest enhancements, and contribute to the design process. Enterprises that participate become co-creators in shaping Windows Server — turning feedback into business-aligned features that improve workflows and infrastructure performance.

4. Skills Development and Training

IT professionals gain first-hand experience with upcoming technologies, enhancing team expertise and preparing staff for smoother transitions during official releases. This becomes a valuable part of enterprise L&D strategies, minimizing learning curves and avoiding costly deployment surprises.

5. Better Long-Term Planning

Access to Insider builds allows enterprises to assess hardware compatibility, benchmark performance, and refine internal tools or scripts, reducing friction during upgrades or cloud migrations.

Real-World Scenario: Testing Hybrid Flexibility

Imagine an enterprise planning a hybrid infrastructure strategy using Azure Arc and on-prem Windows Server. By experimenting with preview builds, they can test hybrid management policies, refine group configurations, and validate security baselines — all without impacting production environments.

How to Get Started

Enrollment is straightforward. Enterprises can sign up using their Microsoft account and download the latest Insider builds from the Windows Server Insider Preview portal.

Final Thoughts

In enterprise tech, innovation waits for no one. The Windows Server Insider Program offers more than just access — it’s a strategic lever for proactive IT leadership. By embracing this program, organizations gain the insight, influence, and preparedness to lead in the evolving digital landscape.

If your enterprise hasn’t joined yet, now might be the best time to get ahead of the curve — because the future of infrastructure isn’t just about adopting change. It’s about helping build it.

 

In today’s cloud-native landscape, container security is paramount. IT professionals must strike a balance between agility and security, ensuring that applications run smoothly without exposing vulnerabilities. One way to achieve this is through Docker hardened images, which enhance security by reducing attack surfaces, enforcing best practices, and integrating with Microsoft Azure Container Registry (ACR) for seamless deployment.

Why Hardened Docker Images?

A hardened Docker image is optimized for security, containing only the necessary components to run an application while removing unnecessary libraries, binaries, and configurations. This approach reduces the risk of known exploits and ensures compliance with security standards. Key benefits include:

• Reduced Attack Surface: Eliminating unnecessary components minimizes entry points for attackers.
• Improved Compliance: Meets security benchmarks like CIS, NIST, and DISA STIG.
• Enhanced Stability: Smaller images mean fewer dependencies, reducing vulnerabilities.
• Better Performance: Optimized images lead to faster deployments and lower resource consumption.

Leveraging Azure Container Registry for Secure Image Management

Microsoft Azure Container Registry (ACR) plays a critical role in securely storing, managing, and distributing hardened images. IT professionals benefit from features such as:

• Automated Image Scanning: Built-in vulnerability assessment tools like Microsoft Defender for Cloud detect security risks.
• Content Trust & Signing: Ensures only authorized images are deployed.
• Geo-replication: Enables efficient global distribution of container images.
• Private Registry Access: Provides secure authentication via Azure Active Directory.

Microsoft Azure Container Registry

Hardened Images in Azure Container Solutions

By deploying hardened images through Azure Kubernetes Service (AKS), Azure Container Apps, and Azure Functions, organizations strengthen security in cloud-native applications while leveraging Azure’s scalability and flexibility. This translates to:

• Improved Security Posture: Reducing exposure to common container-based threats.
• Streamlined Operations: Consistent, automated deployment pipelines.
• Efficient Cost Management: Optimized images lower compute and storage costs.

Strengthening Security with Docker Scout

Docker Scout is a powerful security tool designed to detect vulnerabilities in container images. It integrates seamlessly with Docker CLI, allowing IT professionals to:

• Scan Images for CVEs (Common Vulnerabilities and Exposures): Identify security risks before deployment.
• Receive Actionable Insights: Prioritized remediation recommendations based on severity.
• Automate Security Checks: Continuous monitoring ensures compliance with security standards.
• Integrate with Azure Container Registry (ACR): Scan images stored in ACR for proactive security management.

How It Works with Azure Container Solutions

By incorporating Docker Scout with Azure Container Registry (ACR), IT teams can establish a robust security workflow:

1. Build & Harden Docker Images – Optimize base images to minimize attack surfaces.
2. Scan with Docker Scout – Detect vulnerabilities in both public and private repositories.
3. Push Secure Images to ACR – Ensure only validated, hardened images are stored.
4. Deploy on Azure Container Solutions – Use AKS, Azure App Service, or Azure Functions with improved security confidence.
5. Monitor & Automate Security Updates – Continuous scanning helps maintain container integrity.

Best Practices for IT Professionals

To maximize security, IT teams should adopt the following best practices:

1. Use Minimal Base Images (Alpine, Distroless) to reduce attack surfaces.
2. Regularly Update & Scan Images to patch vulnerabilities.
3. Implement Role-Based Access Controls (RBAC) for container registries.
4. Adopt Infrastructure as Code (IaC) to enforce secure configurations.
5. Monitor & Audit Logs for anomalous activity detection.
6. Automate Docker Scout scans in CI/CD pipelines.
7. Enforce image signing & verification using Azure Key Vault.
8. Regularly update base images & dependencies to mitigate risks.
9. Apply role-based access controls (RBAC) within Azure Container Registry

Conclusion

Secure containerization starts with hardened Docker images and robust registry management. Azure Container Registry offers IT professionals the tools to maintain security while leveraging cloud efficiencies. By integrating these strategies within Azure’s ecosystem, organizations can build resilient and scalable solutions for modern workloads.
Docker Scout combined with Azure Container Registry provides IT professionals a strong security foundation for cloud-native applications. By integrating proactive vulnerability scanning into the development workflow, organizations can minimize risks while maintaining agility in container deployments.
When you work with artificial intelligence (AI) and Containers working with Model Context Protocol (MCP)
Security by Design comes first before you begin.
Here you find more information about MCP protocol via Docker documentation

 

 

50 years of Microsoft

A Legacy of Innovation and Transformation

Half a century ago, on April 4th, 1975, two young visionaries, Bill Gates and Paul Allen, co-founded Microsoft with a bold ambition: to make computing accessible and essential for everyone. What began as a small software company has grown into a global technology leader, continuously transforming industries and empowering billions of lives. As we celebrate Microsoft’s 50-year journey, let’s explore its milestones, innovations, and impact, including its contributions to datacenters, Windows Server, Hyper-V, Azure, and the leadership of its CEOs.

The Early Years: Coding the Future

Microsoft’s first big breakthrough came with the creation of an operating system for the fledgling personal computer market. In 1980, the company introduced MS-DOS, laying the groundwork for the revolutionary Windows operating system, launched in 1985. This graphical interface transformed computing, making it accessible to both businesses and individuals.

Guiding Microsoft Through Its Evolution: The CEOs Who Shaped the Company

Microsoft’s trajectory has been shaped by its visionary leadership. From the founders to the present, each CEO has left an indelible mark:

1. Bill Gates (1975–2000): As co-founder and first CEO, Gates spearheaded the company’s initial growth, launching pivotal products like MS-DOS, Windows, and Office. His focus on innovation and accessibility built the foundation of Microsoft’s success.
2. Steve Ballmer (2000–2014): During his tenure, Ballmer led Microsoft through massive expansion, particularly in enterprise solutions and cloud computing. He introduced Windows Server and laid the groundwork for services like Azure. Ballmer’s energy and passion defined his leadership style and kept Microsoft competitive in a rapidly changing market.
3. Satya Nadella (2014–Present): Nadella ushered in a cloud-first, AI-driven era, transforming Microsoft’s culture and business model. His emphasis on inclusivity, empathy, and sustainability revitalized the company. Under his leadership, Azure became one of the world’s leading cloud platforms, and Microsoft made transformative acquisitions like LinkedIn, GitHub, and Activision Blizzard.

Lake Bill on Redmond Campus

Redefining Enterprise Technology: Datacenters, Windows Server, and Virtualization

As businesses increasingly relied on technology, Microsoft expanded its offerings to support enterprise needs. Windows Server, introduced in 1993, became a cornerstone for server management and networking. It evolved over the decades, incorporating features such as Active Directory, high availability, and security enhancements.

Microsoft played a pivotal role in virtualization with Hyper-V, launched in 2008. Hyper-V allowed organizations to maximize resource efficiency and reduce costs by running multiple virtual machines on a single physical server. Modern datacenters powered by Microsoft’s hardware and software solutions now form the backbone of its cloud services.

Embracing the Cloud: The Azure Revolution

Microsoft’s Azure cloud platform, launched in 2010, redefined computing. It enabled organizations to access scalable infrastructure, deploy applications globally, and harness artificial intelligence with ease. Azure spans over 60 regions worldwide, making it one of the most comprehensive cloud platforms. Its ecosystem includes hybrid cloud solutions, advanced analytics, and IoT technologies.

Gaming, Devices, and Consumer Innovation

Microsoft entered the gaming industry with the Xbox in 2001, creating a thriving gaming ecosystem. Beyond gaming, the company innovated with devices like the Surface lineup, combining sleek design with productivity. Its integration of hardware and software demonstrated Microsoft’s versatility.

Shaping the Future: AI, Sustainability, and Datacenters

Microsoft continues to lead in artificial intelligence with tools like Microsoft Copilot. Its pledge to be carbon-negative by 2030 highlights environmental responsibility, with sustainable datacenter operations playing a central role.

Conclusion: A Legacy Built to Inspire

Microsoft’s 50-year journey is a testament to the power of innovation and visionary leadership. From Bill Gates to Steve Ballmer to Satya Nadella, each CEO has steered the company to new heights. With contributions ranging from datacenters and Windows Server to Hyper-V and Azure, Microsoft’s impact has been profound. As the company looks ahead, it remains dedicated to empowering people and organizations to achieve more, ensuring the next 50 years are as groundbreaking as the last.

Here’s to Microsoft—a company built to inspire and shape the future.

at Building 92 of the Microsoft Campus in Redmond.

 

Scenario:

If you need a distribution list in Exchange that includes both internal organization contacts and external contacts—without requiring external users to be invited as guest accounts—there’s a simple way to achieve this.

In Exchange Online, external contacts are referred to as Mail Contacts. These allow you to add external email addresses to your organization’s address book, making them available for inclusion in distribution lists. By leveraging Mail Contacts, you can create a fully functional distribution list that includes both internal users and external recipients while keeping everything manageable within Exchange.

Managing email distribution lists efficiently is crucial for organizations that need to communicate with both internal and external contacts. While Exchange Online allows us to create Mail Contacts programmatically using PowerShell scripts or the Exchange Online Management API, automating this process is key—especially when integrating it with Dynamics 365 Marketing Lists.

The Automation Challenge

In my case, I wanted to automatically add new contacts from a specific Dynamics 365 Marketing List to a corresponding Exchange Distribution List. Initially, I considered using Power Automate to invoke a PowerShell script, but that introduced additional complexities:

• Using Power Automate to trigger an Azure Automation Runbook
• Managing authentication and execution permissions
• Handling execution timing and monitoring

A More Efficient Approach: Logic Apps

Instead of relying on Power Automate, I found a better and more streamlined approach—using Azure Logic Apps. Unlike Power Automate, Logic Apps offer built-in functionality to create and execute Runbook Jobs directly within Azure Automation.

What This Blog Covers

In this post, I’ll walk you through:
Setting up an Azure Automation Account
Creating a Runbook to execute a PowerShell script that adds Mail Contacts
Using Azure Logic Apps to trigger the Runbook
Handling authentication across these services

By the end, you’ll have an end-to-end automation setup that seamlessly adds external contacts to Exchange Distribution Lists as soon as they join a Dynamics 365 Marketing List—without requiring manual intervention.

Let’s dive in!

Step 1: Set up the Azure Automation Account

1. Log in to Portal Azure https://portal.azure.com/ and in the search box, type Automation Accounts

2. Click on Create, Select your Subscription and Resource group, and type in the Automation Account Name

2. Then click the Advanced Tab, and on the Managed Identities, select User Assign; we will set up the User Managed Identity in the next steps.

3. Click Review and Create.

Step 2: Setup the User Managed Identity

A common challenge for developers is the management of secrets, credentials, certificates, and keys used to secure communication between services. Managed identities eliminate the need for developers to manage these credentials.

A common challenge for developers is the management of secrets, credentials, certificates, and keys used to secure communication between services. Managed identities eliminate the need for developers to manage these credentials.

While developers can securely store the secrets in Azure Key Vault, services need a way to access Azure Key Vault. Managed identities provide an automatically managed identity in Microsoft Entra ID for applications to use when connecting to resources that support Microsoft Entra authentication. Applications can use managed identities to obtain Microsoft Entra tokens without having to manage any credentials.

So Let’s see how to setup the account with the Required Permissions!

1. On the Search, Type Managed Identities

2. Click Create, Select the subscription, Resource group, and give it a name

3. Then Press Review and Create

4. Open the automation account that we have created in Step no. 1

5. Search for Identity, open the link, select user assigned, and click Add.

6. Add the managed identity that we have just created.

7. Next comes setting the Permissions for the Managed Identity, so go back and open the Managed Identity.

8. Go to Azure Role Assignments and add the Automation Contributor Role; this is required to enable the Logic app to execute the RunBook (we will be creating this in the next step) on the automation account.

9. Grant the Exchange.ManageAsApp API permission for the managed identity to call Exchange Online, Unfortunately, this step can’t be done through the Azure / Entra Portal, so we will be using Graphy API Explorer to achieve this.

Get the Managed Identity’s Object ID

Get Exchange Online Service Principal ID

Open Grap API Explorer, Login ,and run the below query and grap the Exchange online service Principal ID

Method: Get

https://graph.microsoft.com/v1.0/servicePrincipals?$filter=appId eq '00000002-0000-0ff1-ce00-000000000000'

Assign the Exchange.ManageAsApp Permission

Using Graph Explorer API again, use the below to assign the Exchange.ManageAsApp Permission

POST https://graph.microsoft.com/v1.0/servicePrincipals/{MANAGED_IDENTITY_OBJECT_ID}/appRoleAssignments
Authorization: Bearer YOUR_ACCESS_TOKEN
Content-Type: application/json

{
  "principalId": "{MANAGED_IDENTITY_OBJECT_ID}",
  "resourceId": "{EXCHANGE_ONLINE_SERVICE_PRINCIPAL_ID}",
  "appRoleId": "dc50a0fb-09a3-484d-be87-e023b12c6440"
}

10. Assign Microsoft Entra roles to the managed identity; you will need to assign the Exchange Administrator Role

In the Search type role and select Microsoft Entra Roles and administrators

11. Open Exchange Administrator Assignments and add the user Managed Identity by clicking the Add Assignments Button .. Global administrator privileges will be required for this.

Step 4: Import Exchange Management Modules

1. Open the Automation Account that we have created in step 1
2. Navigate to Shared Resources -> Modules
3. Click Add Module

4. Click Browse from gallery

1. Open the Automation Account
2. Navigate to Process Automation -> Runbooks
3. Search for PackageManagement and select and choose the Runtime Version 5.1

4. Repeat for Add PowerShellGet and choose Runtime Version 5.1

5. Repeat for ExchangeOnlineManagement and choose Runtime Version 5.1

Step 5: Create a runbook in Azure Automation

1. Open the Automation Account
2. Navigate to Process Automation -> Runbooks
3. Click on Create a runbook. Make sure you are using Runtime Version 5.1 because PowerShell works only for this Version

4. Open the Run Book and click Edit in Portal.

5. Paste the below Powershell Script that connects to exchange

//The below piece of code sets parameters on the run book so that when called from a logic app we can pass these parameters to the run book.
param (
    [string]$MailContactName,
    [string]$MailContactEmail,
    [string]$DistributionList
)
// Connects to Exchange online via the managed Identity that have been setup in step 3
Connect-ExchangeOnline -ManagedIdentity -Organization Organisationdomain.onmicrosoft.com -ManagedIdentityAccountId {Managed Account Identity ID}

//Creates a mail contact in Exchange
New-MailContact -Name $MailContactName -ExternalEmailAddress $MailContactEmail

//Add mail Contact to the Distribution List
Add-DistributionGroupMember -Identity $DistributionList -Member $MailContactEmail

6. After that Click Save and Publish

7. You can then test the runbook by clicking the Test Pane on the Edit in Portal Screen of the runbook, entering the parameters and clicking start.

Step 5: Create the Logic App

So the Logic app will be created in a schedule and can query any enterprise connector like dataverse and then call the runbook that has been created in Step 5

1. From the Azure Portal , Look for Logic Apps and click Add
2. Choose the Hosting Plan, and here you can select the Consumption plan

3. Select the subscription, the Resource Group and add the logic app name

4. Click Review and Create and then Create

5. On the created Logic app, search for Identity, Navigate to user assigned and add the Managed identity created in step 2

5. Navigate to the Logic app designer. On the Add Trigger step, choose schedule and set the recurrence schedule. Then, add Action and look for Create Job and select the one under Azure Automation

6. Set the Connection Name and Choose the Authentication Type as Logic Apps Managed Identity

7. Select the Subscription, Resource Group, Automation Account, Run book and pass the required Parameters

8. Save and test the Logic App

Resources:

https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview

https://learn.microsoft.com/en-au/powershell/exchange/connect-exo-powershell-managed-identity?view=exchange-ps&WT.mc_id=M365-MVP-9501

Try Now!

Windows Server 2025 Insider Preview Build 26360

Exploring the Latest Features in Microsoft Windows Server Insider Preview Builds

Microsoft’s Windows Server Insider Preview Builds are a treasure trove of innovation and advanced features designed to enhance performance, security, and flexibility for IT professionals. Today, we’re diving into the latest updates and new features introduced in the Windows Server 2025 Insider Preview Build.
Here you find more on What’s New in Microsoft Windows Server 2025

Here are some Highlights of new Windows Server 2025 Insider Preview features:

1. Enhanced Security with Delegated Managed Service Accounts (dMSA)

One of the standout features in this build is the introduction of Delegated Managed Service Accounts (dMSA). This new account type allows for migration from traditional service accounts to machine accounts with managed and fully randomized keys. By linking authentication to the device identity, dMSA helps prevent credential harvesting through compromised accounts, a common issue with traditional service accounts.

2. Windows Admin Center (WAC) Integration

Starting with this build, users can now download and install the Windows Admin Center (WAC) directly from the Windows Server Desktop. This in-OS app simplifies the installation process and provides a seamless experience for managing your server infrastructure.

3. Bluetooth Connectivity

Windows Server 2025 now supports Bluetooth connectivity, allowing users to connect mice, keyboards, headsets, and other peripherals directly to the server. This feature enhances flexibility and convenience for server management.

4. DTrace for Real-Time Performance Monitoring

The new build includes DTrace, a powerful command-line utility that enables real-time performance monitoring and troubleshooting. DTrace allows users to dynamically instrument both kernel and user-space code without modifying the code itself, supporting a range of data collection and analysis techniques.

5. Improved Upgrade Experience

Upgrading to Windows Server 2025 has never been easier. The build supports in-place upgrades from Windows Server 2012 R2 and later versions, allowing you to upgrade up to four versions at a time. This streamlined upgrade process ensures a smooth transition to the latest server version.

6. Feedback Hub for User Input

The new Feedback Hub app is now available for Server Desktop users. This app allows users to submit feedback or report issues directly to Microsoft, helping the development team understand user experiences and improve future builds.

7. SMB over QUIC and Alternative Ports

The build introduces SMB over QUIC with support for alternative ports. This feature enhances security and performance by allowing SMB traffic to use custom-defined ports instead of the default UDP/443 port.

8. Enhanced Desktop Experience

When you sign in for the first time, the desktop shell experience now conforms to the style and appearance of Windows 11. This visual update provides a familiar and modern interface for server administrators.

These new features and enhancements in the Windows Server 2025 Insider Preview Build demonstrate Microsoft’s commitment to providing cutting-edge solutions for IT professionals. Whether you’re looking to improve security, streamline management, or enhance performance, the latest Windows Server Insider Preview Build has something to offer.

Stay tuned for more updates and features as Microsoft continues to innovate and improve its server offerings.

Conclusion:

Become a Microsoft Windows Server Insider and get all the newest features first to play with it in your test environment.

Get started here and register for free

Introduction to Windows 11 with Copilot on Microsoft Surface Devices

Welcome to the exciting world of Windows 11, where innovation meets productivity with the combined power of Copilot and Microsoft’s Surface devices. In this blogpost, we’ll explore how Windows 11 enhances the user experience, and how pairing it with Copilot on a Surface Laptop or Surface Pro creates an unmatched synergy that transforms the way you work and play.

Microsoft Copilot + PC for Business

User Interface and Design

Windows 11 introduces a sleek, modern interface with a centered Start menu, rounded corners, and new iconography. The redesigned taskbar, Action Center, and widgets provide a more intuitive and streamlined experience, making navigation a breeze on the stunning high-resolution displays of Surface devices. With the Surface’s touch and pen capabilities, the new themes and wallpapers can be tailored to fit your unique style.

New Features and Improvements

Enhanced Touch and Pen Support

Surface devices are known for their exceptional touch and pen support, making Windows 11’s enhanced touch features even more impactful. Whether you’re using the Surface Pen for precise drawing or multitouch gestures to navigate seamlessly, the combination offers unparalleled interactivity.

Virtual Desktops and Snap Layouts

With Windows 11, organizing your workspace becomes effortless. The introduction of Snap Layouts and Snap Groups allows for better multitasking, perfectly complemented by the Surface’s spacious screen real estate. Virtual desktops let you create customized workspaces for different projects, maximizing productivity on the go.

Improved Gaming Capabilities

Gaming on a Surface Laptop or Surface Pro reaches new heights with Windows 11’s optimized gaming features. From DirectStorage for faster load times to Auto HDR for vibrant visuals, your gaming experience becomes more immersive and enjoyable.

What is the NPU, and how does it enhance performance.

The Neural Processing Unit (NPU) is a newer addition to modern Windows devices and plays a key role in handling tasks related to artificial intelligence (AI) and machine learning. It is designed to speed up complex processes such as facial recognition, voice assistance, and data analysis, which require advanced computation. The NPU’s ability to offload these tasks from the CPU and GPU allows for faster, more efficient operation of the entire system.

Unlocking the power of NPU on Surface: Our “Hello World” journey for DevOps and developers

AI Integration

Copilot – Your AI Companion

Integrating Copilot into Windows 11 on Surface devices brings a new level of intelligence and assistance. Copilot can help you with tasks like setting reminders, generating content, and providing insights. With improved speech recognition and the power of the Surface’s microphones and speakers, interacting with Copilot feels natural and efficient.

Microsoft Office and AI

Windows 11 leverages AI to enhance productivity tools like Microsoft Office. Copilot can offer intelligent suggestions and insights, helping you create polished documents, manage emails, and stay organized, all while utilizing the Surface’s powerful hardware.

Security Enhancements

Security is paramount in Windows 11, with features like Windows Hello, Microsoft Defender, and BitLocker providing robust protection. The new Windows Security Center offers a comprehensive overview of security settings, ensuring your Surface device is always secure. Windows Hello takes full advantage of the Surface’s IR camera for quick and secure logins.

Windows 11 Security

Hyper-V and Virtualization

Windows 11 includes advanced virtualization capabilities through Hyper-V, allowing you to create and manage virtual machines with ease. This feature is particularly useful for developers, IT professionals, and power users who need to run multiple operating systems or isolated environments on their Surface devices.

Windows Subsystem for Linux (WSL)

The Windows Subsystem for Linux (WSL) in Windows 11 provides a seamless way to run Linux distributions natively on your Surface device. WSL offers improved performance, compatibility, and integration with Windows tools, making it an essential feature for developers and tech enthusiasts.

WSL

Performance and Optimization

Windows 11 is designed to deliver improved performance and efficiency, with faster boot times, enhanced battery life, and better resource management. Surface devices leverage hardware advancements to provide a smoother and more responsive experience, ensuring you can work and play without interruptions.

Tips and Tricks

Here are some tips and tricks to help you get the most out of Windows 11 on your Surface device:

• Keyboard Shortcuts: Utilize the Surface’s keyboard shortcuts to navigate quickly and efficiently.
• Customization: Personalize your device with themes, wallpapers, and widgets that reflect your style.
• Pen Shortcuts: Take advantage of Surface Pen shortcuts for quick access to apps and features.
• Battery Optimization: Manage power settings to maximize battery life and keep your Surface running longer.
• Troubleshooting: Use the Windows Security Center and Device Manager to diagnose and fix common issues.
• Become a Windows Insider: Here you can test almost every week a new Windows 11 Insider Preview Build

Conclusion

Windows 11, combined with Copilot on Microsoft Surface devices, represents a significant leap forward in terms of design, functionality, and performance. The innovative features and improvements make it the operating system of choice for users around the world, providing a seamless and powerful experience that enhances every aspect of your digital life.

Here you find more information about Microsoft Windows 11

The New Microsoft Surface Laptop Copilot + PC

Microsoft Windows 11 Free training on MS-Learn

Microsoft Windows 11 Security Book for free

Enjoy your New Microsoft Surface Device with Copilot!
It’s Awesome

In the dynamic world of cloud computing, Microsoft continues to innovate with solutions that empower organizations to manage hybrid and multi-cloud environments effectively. One such groundbreaking solution is Azure Container Storage enabled by Azure Arc. This technology is designed to simplify and enhance the management of persistent storage for Kubernetes clusters, providing a unified and adaptive approach to cloud storage.

What is Azure Container Storage Enabled by Azure Arc?

Azure Container Storage enabled by Azure Arc is a first-party storage system designed for Arc-connected Kubernetes clusters. It serves as a native persistent storage solution, offering high availability, fault tolerance, and seamless data synchronization to Azure Blob Storage. This system is crucial for making Kubernetes clusters stateful, especially for Azure IoT Operations and other Arc services.

Key Features and Benefits

1. High Availability and Fault Tolerance: When configured as a 3-node cluster, Azure Container Storage enabled by Azure Arc replicates data between nodes (triplication) to ensure high availability and tolerance to single node failures.
2. Data Synchronization to Azure: Data written to volumes is automatically tiered to Azure Blob Storage, including block blob, ADLSgen-2, or OneLake. This ensures that data is securely stored and easily accessible in the cloud.
3. Low Latency Operations: Arc services, such as Azure IoT Operations, can expect low latency for read and write operations, making it ideal for real-time applications.
4. Simple Connection: Customers can easily connect to an Azure Container Storage enabled by Azure Arc volume using a CSI driver to start making Persistent Volume Claims against their storage.
5. Flexibility in Deployment: Azure Container Storage enabled by Azure Arc can be deployed as part of Azure IoT Operations or as a standalone solution, providing flexibility to meet various deployment needs.
6. Platform Neutrality: This storage system can run on any Arc Kubernetes supported platform, including Ubuntu + CNCF K3s/K8s, Windows IoT + AKS-EE, and Azure Stack HCI + AKS-HCI and Azure Local.

Microsoft Azure Local solution

 

Azure Container Storage Offerings

Azure Container Storage enabled by Azure Arc offers two main storage options:

1. Cache Volumes: The original offering, providing a reliable and fault-tolerant file system for Arc-connected Kubernetes clusters.
2. Edge Volumes: The newest offering, which includes Local Shared Edge Volumes and Cloud Ingest Edge Volumes. Local Shared Edge Volumes provide highly available, failover-capable storage local to your Kubernetes cluster, while Cloud Ingest Edge Volumes facilitate limitless data ingestion from edge to Blob storage.

Use Cases and Applications

Azure Container Storage enabled by Azure Arc is particularly beneficial for organizations with hybrid and multi-cloud environments. It supports various use cases, including:

• IoT Applications: Ensuring data integrity and synchronization in disconnected environments, making it ideal for IoT operations.
• Edge Computing: Providing local storage for scratch space, temporary storage, and locally persistent data unsuitable for cloud destinations.
• Data Ingestion: Facilitating seamless data transfer from edge to cloud, optimizing local resource utilization and reducing storage requirements.

Conclusion

Azure Container Storage enabled by Azure Arc represents the future of hybrid cloud storage, offering seamless onboarding, unified management, and adaptive capabilities. By leveraging this technology, organizations can overcome the challenges of hybrid and multi-cloud environments, streamline operations, and drive innovation.

Whether you’re just starting your cloud journey or looking to optimize your existing infrastructure, Azure Container Storage enabled by Azure Arc provides the tools and guidance you need to succeed. Embrace the power of this transformative solution and unlock new possibilities for your organization.

Jumpstart Drops is a good begin in your test environment, before you begin in production. Here you find a Jump start drop about “Create an Azure Container Storage enabled by Azure Arc Edge Volumes with CloudSync” by Anthony Joint.

More information:

Introducing Azure Local by Cosmos Darwin

Microsoft Adaptive Cloud

Announcement! Edge Storage Accelerator YouTube video. 

What is Microsoft Azure Arc Services?

Install-Module -Name Microsoft.OSConfig -Scope AllUsers -Repository PSGallery -Force

The security baselines can be configured through PowerShell, Windows Admin Center, and Azure Policy. The OSConfig tool is a security configuration stack that uses a scenario-based approach to deliver and apply the desired security measures for your environment. The security baselines throughout the device life cycle can be applied using OSConfig starting from the initial deployment process.

To verify that the OSConfig module is installed, run the following command:
Get-Module -ListAvailable -Name Microsoft.OSConfig

Here we check the Baseline Security Compliance:
Get-OSConfigDesiredConfiguration -Scenario SecurityBaseline/WS2025/MemberServer | ft Name, @{ Name = “Status”; Expression={$_.Compliance.Status} }, @{ Name = “Reason”; Expression={$_.Compliance.Reason} } -AutoSize -Wrap

You will see that the Security Baseline is not Complaint.

Set-OSConfigDesiredConfiguration -Scenario SecurityBaseline/WS2025/MemberServer -Default

Get-OSConfigDesiredConfiguration -Scenario SecurityBaseline/WS2025/MemberServer

Now we do the Security Baseline Compliance Check again:

Get-OSConfigDesiredConfiguration -Scenario SecurityBaseline/WS2025/MemberServer | ft Name, @{ Name = “Status”; Expression={$_.Compliance.Status} }, @{ Name = “Reason”; Expression={$_.Compliance.Reason} } -AutoSize -Wrap

Conclusion

With OSConfig you can set the default of Microsoft Security Baseline in a quick way. It’s important to test everything first in a test environment before you set these settings in production. Here you find more information on GitHub

You can make also your own custom Security Baselines with OSConfig.

Keep your Microsoft Security Baseline up-to-date

OSConfig Overview

 

Simple install of GitHub Copilot Free edition in VSCode
More information in the Marketplace here

GitHub Copilot free for VSCode

GitHub Copilot Free edition for Microsoft VSCode is very handy to get started with Infrastructure as Code (IaC) and make your own deployment scripts for Azure Cloud Services.

Here I asked for a bicep deployment script to deploy a Windows Server Insider Build into Azure Cloud.

What I really like is GitHub Copilot free speech extension in VSCode.
Now I can just Talk to Copilot and get the job done

Here you find all the information you need about GitHub Copilot free for VSCode

Conclusion

GitHub Copilot free in VSCode is a very handy AI tool to save time in your project and can support your work.
Copilot can make mistakes by using wrong information or data, that’s why you have always do the checks yourself and test first before you use it in production. Happy Infrastructure as Code with GitHub Copilot Free edition for VSCode

Once upon a time, in a world where technology and holiday cheer intertwined, there was a bustling community of developers eagerly awaiting the latest updates from the Microsoft Windows 11 and Windows Server Insider programs. As the festive season approached, the air was filled with excitement and anticipation.

In the heart of this community were the Microsoft MVPs (Most Valuable Professionals) and Docker Captains, who were known for their expertise and passion for technology. They decided to come together to create something truly magical for developers around the world.

One snowy evening, as the MVPs and Docker Captains gathered around a virtual fireplace, they began to brainstorm ideas. “What if we could combine the power of Windows 11, Windows Server, and Docker Containers to create a seamless development experience?” suggested one MVP, their eyes twinkling with excitement.

The idea quickly gained momentum, and soon, the group was hard at work. They envisioned a world where developers could effortlessly build, test, and deploy applications using the latest features of Windows 11 and Windows Server, all within the flexible and scalable environment of Docker Containers.

With the help of the Insider programs, they gained early access to cutting-edge features and updates. The MVPs and Docker Captains worked tirelessly, sharing their knowledge and expertise to create a series of tutorials, guides, and sample projects. These resources were designed to help developers harness the full potential of Windows 11, Windows Server, and Docker Containers.

As the holiday season progressed, the community began to see the fruits of their labor. Developers from all corners of the globe started to adopt the new tools and techniques, marveling at the ease and efficiency they brought to their workflows. The combination of Windows 11’s sleek interface, Windows Server’s robust capabilities, and Docker Containers’ flexibility created a harmonious symphony of technology.

To celebrate their success, the MVPs and Docker Captains organized a virtual holiday party. Developers joined from far and wide, sharing stories of their experiences and the innovative projects they had created. The virtual room was filled with laughter, camaraderie, and a shared sense of accomplishment.

As the night drew to a close, one of the Docker Captains raised a toast. “Here’s to the power of collaboration, the spirit of innovation, and the joy of the holiday season. May we continue to push the boundaries of technology and inspire developers everywhere.”

And so, the story of the Microsoft Windows 11 and Windows Server Insider Christmas, made possible by the dedication and expertise of the MVPs and Docker Captains, became a cherished tale in the developer community. It was a reminder that, with passion and teamwork, even the most ambitious dreams could come true.

Happy holidays, and may your coding adventures be merry and bright!