Vue lecture

Il y a de nouveaux articles disponibles, cliquez pour rafraîchir la page.

mountainss Cloud and Datacenter Management Blog

Microsoft Azure SRE Agent and Arc enabled Windows Server 2025

Bringing Reliability to the Edge: Azure SRE Agent Meets Windows Server 2025 with Arc for Adaptive Cloud

The next wave of hybrid cloud operations is no longer about simply connecting servers to Azure—it’s about giving every workload, wherever it runs, the same intelligent operational experience as native cloud services. With Windows Server 2025, Azure Arc, and the new Microsoft Azure SRE Agent, Microsoft is closing the gap between cloud and datacenter in a way that finally feels unified.

This post explores how these technologies fit together and why they matter for modern SRE, operations, and hybrid cloud engineering.

Why Azure SRE Agent Changes the Game

Azure SRE Agent is Microsoft’s new operational automation platform designed to reduce toil, accelerate incident response, and build institutional knowledge over time. It’s not just a bot—it’s an AI‑driven operational brain that learns your environment and executes tasks across Azure and hybrid systems.

It automates operational work so teams can focus on high‑value tasks
It connects observability tools, incident platforms, and source code systems to automate end‑to‑end workflows
It continuously builds expertise on your environment and remembers every investigation
It manages all Azure services through Azure CLI and REST APIs, including compute, storage, networking, databases, and monitoring

What makes SRE Agent unique is its learning loop. Every incident, every triage, every fix becomes part of a persistent knowledge base that never leaves your environment. New engineers ramp faster, and on‑call becomes more consistent and predictable.

Windows Server 2025: Built for Adaptive Cloud

Windows Server 2025 is the most cloud‑aligned release of Windows Server to date. It brings:

Deep Azure Arc integration
Modernized SMB, storage, and security
Hotpatching for non‑Azure VMs
Enhanced virtualization and container support
A platform designed for Adaptive Cloud—Microsoft’s strategy to unify cloud and edge operations

But the real magic happens when you connect Windows Server 2025 to Azure Arc and layer the SRE Agent on top.

Azure Arc: The Bridge to Adaptive Cloud

Azure Arc turns any server—physical, virtual, on‑premises, or multi‑cloud—into a first‑class Azure resource. For Windows Server 2025, Arc is not an add‑on; it’s the operational backbone.

With Arc, you get:

Azure Policy for servers
Azure Monitor and Log Analytics
Update management
Security baselines
Inventory and change tracking
GitOps for configuration
Arc‑enabled VM extensions (including custom agents)

This is where the SRE Agent fits perfectly.

How Azure SRE Agent Complements Arc‑Enabled Windows Server 2025

Unified Observability and Incident Automation

Arc brings Windows Server 2025 into Azure Monitor and Log Analytics.
SRE Agent then uses those signals to:

Automate triage
Trigger runbooks
Correlate recurring alerts
Reduce alert fatigue
Generate weekly hygiene and monthly threshold audits

Because SRE Agent integrates natively with Azure Monitor alerts, Application Insights, and Log Analytics, it becomes the automation layer on top of Arc’s observability foundation.

Runbooks and Subagents for Hybrid Operations

SRE Agent supports:

Custom runbooks
Azure CLI automation
REST API calls
Subagents for specialized services (VMs, databases, networking)

This means you can automate:

Windows Server 2025 patching
Storage troubleshooting
Network diagnostics
Service restarts
Log collection
Configuration drift correction

All triggered by alerts, schedules, or incidents.

Institutional Knowledge for Hybrid Environments

Every investigation teaches the agent something new:

Root causes
Resolution steps
Team preferences
Operational patterns

This knowledge persists across conversations and across your hybrid estate.
For organizations with large Windows Server fleets, this is transformative.

Consistent Operations Across Cloud and Datacenter

Adaptive Cloud is about making on‑prem feel like Azure.
With Arc + SRE Agent:

Azure Monitor alerts → same experience
Incident workflows → same experience
Automation → same experience
Knowledge base → shared across environments

Windows Server 2025 becomes a true extension of Azure—not just connected, but operationally unified.

A Practical Example: Automated Incident Response on Windows Server 2025

Imagine a Windows Server 2025 VM running on‑prem, Arc‑enabled, and monitored by Azure Monitor.

Disk latency spikes
Azure Monitor fires an alert.
SRE Agent receives the alert
It correlates with similar incidents from the past month.
Agent runs diagnostics
Using Azure CLI and REST API automation through Arc.
Agent identifies the root cause
A runaway process consuming I/O.
Agent mitigates automatically
- Restarts the service
- Collects logs
- Updates the incident ticket
- Suggests preventive actions based on historical patterns

This is not theoretical—this is exactly what SRE Agent is designed to do.

Why This Matters for SRE and Ops Teams

Less Toil, More Engineering

SRE Agent automates the repetitive work that burns out on‑call engineers.

Faster MTTR

Automated triage and mitigation reduce downtime dramatically.

Better On‑Call Experience

New engineers inherit the agent’s knowledge from day one.

Consistent Hybrid Operations

Arc + SRE Agent gives you a single operational model across cloud and datacenter.

Future‑Proofing

Windows Server 2025 is built for Adaptive Cloud, and SRE Agent is the automation engine that makes it real.

Conclusion: The Future of Hybrid Reliability Engineering

The combination of:

Windows Server 2025
Azure Arc
Azure SRE Agent

creates a hybrid environment where operational excellence is built‑in, not bolted on.

SRE Agent brings intelligence and automation.
Arc brings governance and observability.
Windows Server 2025 brings a modern, cloud‑aligned OS.

Together, they deliver the most complete Adaptive Cloud experience Microsoft has ever offered.

If you’re building a hybrid environment that needs reliability, automation, and consistency, this trio should be at the top of your roadmap.
Important Note: Always test first this configuration in a test environment before you go into production.

Here you find more information about Azure SRE Agent to get Started

Step‑by‑Step: Deploying SRE Agent for Arc‑Enabled Servers

Below is a practical, engineering‑focused workflow you can use in production.

Prerequisites

Before deploying SRE Agent, ensure:

Windows Server 2025 is Arc‑enabled

Your server must appear as a connected machine in Azure Arc.

Azure Monitor Agent (AMA) is installed

SRE Agent relies on metrics, logs, and alerts from Azure Monitor to drive investigations and automations.

Log Analytics workspace is configured

This is where SRE Agent queries logs and correlates signals during root cause analysis.

You have permissions

You need:

Azure Contributor (or custom role with ARM + extension permissions)
Ability to deploy VM extensions to Arc machines

Create Your SRE Agent in the Portal

“Create and set up your first agent” is the starting point for onboarding

In Azure Portal:

Search for Azure SRE Agent
Select Create Agent (NEW then you go to https://sre.azure.com)
Sign in with your Azure Account.
Choose:
- Subscription
- Resource group
- Region
Assign an Agent name
Select your Model provider ( Important: Learn more about your data protection)
Link your Log Analytics workspace

This creates the operational brain that will manage your hybrid servers.

Connect SRE Agent to Your Arc‑Enabled Servers

SRE Agent works across any Azure resource accessible via ARM, Azure CLI, or REST APIs

For Arc‑enabled servers, this means:

Option A — Use the SRE Agent Portal

Option B — Use Azure CLI

az sre agent resource add \

This registers the server so SRE Agent can query logs, metrics, and run automations.

Add Runbooks, Docs, and Custom Logic

You can “enhance your agent with runbooks, architecture docs, and domain‑specific custom agents”

For Windows Server 2025, common runbooks include:

Restarting Windows services
Collecting event logs
Checking disk latency
Resetting IIS pools
Running PowerShell remediation scripts
Triggering Arc extension installs

Upload these into the SRE Agent portal under Automation.

Configure Alerts to Trigger SRE Agent

SRE Agent delivers “autonomous incident response” by reacting to Azure Monitor alerts

For Arc‑enabled servers:

Open Azure Monitor → Alerts
Create rules for:
- CPU spikes
- Memory pressure
- Disk latency
- Service crashes
- Security events
Set Action Group → SRE Agent

Now SRE Agent will automatically:

Gather context
Query logs, metrics, traces
Identify root cause
Suggest or execute mitigations

Enable Scheduled Tasks for Routine Operations

SRE Agent can run scheduled tasks for routine operations

For Windows Server 2025, useful schedules include:

Daily health checks
Weekly patch compliance scans
Monthly configuration drift audits
Log cleanup routines
Certificate expiry checks

These tasks run across Arc‑enabled servers without needing Azure Automation or DSC.

Let the Agent Learn Your Environment

SRE Agent improves over time:

Day 1: Answers questions, runs queries, analyzes metrics
Week 1: Learns team patterns and critical metrics
Month 1: Recognizes recurring issues and applies past learnings automatically

This is especially powerful in hybrid environments where operational knowledge is often tribal and undocumented.

What You Gain After Deployment

Once SRE Agent is fully connected to your Arc‑enabled Windows Server 2025 fleet, you get:

Autonomous Incident Response

Triggered by Azure Monitor alerts, SRE Agent performs triage, root cause analysis, and remediation.

Multi‑Signal Correlation

It queries logs, metrics, traces, and deployment history simultaneously to identify issues faster

Extensible Automation

Built‑in connectors plus MCP integrations for Slack, Jira, Datadog, and internal APIs

Knowledge That Never Leaves

Every investigation is stored as persistent operational knowledge for your team

Unified Hybrid Operations

Arc + SRE Agent gives you a consistent operational model across cloud and datacenter.

Conclusion

Deploying Azure SRE Agent on Arc‑enabled Windows Server 2025 is one of the most impactful steps you can take toward a true Adaptive Cloud environment. You get:

Cloud‑grade automation
Hybrid observability
AI‑driven incident response
Persistent operational knowledge
A unified experience across your entire estate

This is the future of hybrid SRE — and it’s available today!

mountainss Cloud and Datacenter Management Blog

The Ultimate Azure Virtual Machine Guide

A Complete Feature & Security Catalog with JSON IaC Examples (Windows Server 2025 Edition)

Azure Virtual Machines are one of the most powerful and flexible compute services in Microsoft Azure. Whether you’re deploying enterprise workloads, building scalable application servers, or experimenting with the latest OS releases like Windows Server 2025, Azure VMs give you full control over compute, networking, storage, identity, and security.

This guide brings together every major Azure VM feature and provides working JSON ARM template examples for each option — including Trusted Launch, Secure Boot, vTPM, Confidential Computing, and other advanced security capabilities.

What are Azure Resource Manager templates (ARM)? Read this first for more information about the basic of JSON templates

This is the unified reference — now available in one place.

Compute & VM Sizes
OS Images (Windows Server 2025)
OS Disk Options
Data Disks
Networking
Public IP Options
Boot Diagnostics
Managed Identity
VM Generation (Gen2)
Availability Options
VM Extensions
Disk Encryption
Azure AD Login
Just-In-Time Access
Defender for Cloud
Load Balancer Integration
Private Endpoints
Auto-Shutdown
Spot VM
Azure Hybrid Benefit
Dedicated Host
Backup
Update Management
Azure Compute Gallery
VM Scale Sets
WinRM
Guest Configuration
Trusted Launch (Secure Boot, vTPM, Integrity Monitoring)
Confidential Computing (AMD SEV‑SNP / Intel TDX)
Additional Security Hardening Settings
Resource Locks

1. Compute & VM Sizes

"hardwareProfile": {
  "vmSize": "D4s_v5"
}

2. OS Image (Windows Server 2025)

"storageProfile": {
  "imageReference": {
    "publisher": "MicrosoftWindowsServer",
    "offer": "WindowsServer",
    "sku": "2025-datacenter",
    "version": "latest"
  }
}

3. OS Disk Options

Premium SSD

"osDisk": {
  "createOption": "FromImage",
  "managedDisk": {
    "storageAccountType": "Premium_LRS"
  }
}

Standard SSD

"osDisk": {
  "createOption": "FromImage",
  "managedDisk": {
    "storageAccountType": "StandardSSD_LRS"
  }
}

4. Data Disks

Premium SSD

"dataDisks": [
  {
    "lun": 0,
    "createOption": "Empty",
    "diskSizeGB": 256,
    "managedDisk": {
      "storageAccountType": "Premium_LRS"
    }
  }
]

Ultra Disk

"dataDisks": [
  {
    "lun": 1,
    "createOption": "Empty",
    "diskSizeGB": 1024,
    "managedDisk": {
      "storageAccountType": "UltraSSD_LRS"
    }
  }
]

5. Networking

NIC Configuration

{
  "type": "Microsoft.Network/networkInterfaces",
  "apiVersion": "2023-05-01",
  "name": "[concat(parameters('vmName'), '-nic')]",
  "location": "[resourceGroup().location]",
  "properties": {
    "ipConfigurations": [
      {
        "name": "ipconfig1",
        "properties": {
          "subnet": {
            "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', 'vnet', 'default')]"
          },
          "publicIPAddress": {
            "id": "[resourceId('Microsoft.Network/publicIPAddresses', concat(parameters('vmName'), '-pip'))]"
          }
        }
      }
    ]
  }
}

Accelerated Networking

"properties": {
  "enableAcceleratedNetworking": true
}

6. Public IP Options

{
  "type": "Microsoft.Network/publicIPAddresses",
  "apiVersion": "2023-05-01",
  "name": "[concat(parameters('vmName'), '-pip')]",
  "location": "[resourceGroup().location]",
  "sku": { "name": "Standard" },
  "properties": {
    "publicIPAllocationMethod": "Static"
  }
}

7. Boot Diagnostics

Managed Storage

"diagnosticsProfile": {
  "bootDiagnostics": {
    "enabled": true
  }
}

Storage Account

"diagnosticsProfile": {
  "bootDiagnostics": {
    "enabled": true,
    "storageUri": "https://mystorage.blob.core.windows.net/"
  }
}

8. Managed Identity

System Assigned

"identity": {
  "type": "SystemAssigned"
}

User Assigned

"identity": {
  "type": "UserAssigned",
  "userAssignedIdentities": {
    "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'myIdentity')]": {}
  }
}

9. VM Generation (Gen2)

"securityProfile": {
  "uefiSettings": {
    "secureBootEnabled": true,
    "vTpmEnabled": true
  }
}

10. Availability Options

Availability Set

"availabilitySet": {
  "id": "[resourceId('Microsoft.Compute/availabilitySets', 'myAvailSet')]"
}

Availability Zone

"zones": [ "1" ]

Proximity Placement Group

"proximityPlacementGroup": {
  "id": "[resourceId('Microsoft.Compute/proximityPlacementGroups', 'myPPG')]"
}

11. VM Extensions

Custom Script Extension

{
  "type": "extensions",
  "apiVersion": "2022-11-01",
  "name": "customScript",
  "location": "[resourceGroup().location]",
  "properties": {
    "publisher": "Microsoft.Compute",
    "type": "CustomScriptExtension",
    "typeHandlerVersion": "1.10",
    "settings": {
      "fileUris": [
        "https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/sample.ps1"
      ],
      "commandToExecute": "powershell.exe -ExecutionPolicy Unrestricted -File sample.ps1"
    }
  }
}

Domain Join Extension

{
  "type": "Microsoft.Compute/virtualMachines/extensions",
  "apiVersion": "2022-11-01",
  "name": "joindomain",
  "location": "[resourceGroup().location]",
  "properties": {
    "publisher": "Microsoft.Compute",
    "type": "JsonADDomainExtension",
    "typeHandlerVersion": "1.3",
    "settings": {
      "Name": "contoso.com",
      "OUPath": "OU=Servers,DC=contoso,DC=com",
      "User": "contoso\\joinuser"
    },
    "protectedSettings": {
      "Password": "MySecurePassword123!"
    }
  }
}

DSC Extension

{
  "type": "Microsoft.Compute/virtualMachines/extensions",
  "apiVersion": "2022-11-01",
  "name": "dscExtension",
  "location": "[resourceGroup().location]",
  "properties": {
    "publisher": "Microsoft.Powershell",
    "type": "DSC",
    "typeHandlerVersion": "2.83",
    "settings": {
      "configuration": {
        "url": "https://mystorage.blob.core.windows.net/dsc/MyConfig.ps1.zip",
        "script": "MyConfig.ps1",
        "function": "Main"
      }
    }
  }
}

12. Disk Encryption

SSE with CMK

"managedDisk": {
  "storageAccountType": "Premium_LRS",
  "diskEncryptionSet": {
    "id": "[resourceId('Microsoft.Compute/diskEncryptionSets', 'myDiskEncSet')]"
  }
}

Azure Disk Encryption (BitLocker)

{
  "type": "Microsoft.Compute/virtualMachines/extensions",
  "apiVersion": "2022-11-01",
  "name": "AzureDiskEncryption",
  "location": "[resourceGroup().location]",
  "properties": {
    "publisher": "Microsoft.Azure.Security",
    "type": "AzureDiskEncryption",
    "typeHandlerVersion": "2.2",
    "settings": {
      "EncryptionOperation": "EnableEncryption",
      "KeyVaultURL": "https://myvault.vault.azure.net/",
      "KeyVaultResourceId": "[resourceId('Microsoft.KeyVault/vaults', 'myvault')]",
      "KeyEncryptionKeyURL": "https://myvault.vault.azure.net/keys/mykey/1234567890"
    }
  }
}

13. Azure AD Login for Windows

{
  "type": "Microsoft.Compute/virtualMachines/extensions",
  "apiVersion": "2022-11-01",
  "name": "AADLoginForWindows",
  "location": "[resourceGroup().location]",
  "properties": {
    "publisher": "Microsoft.Azure.ActiveDirectory",
    "type": "AADLoginForWindows",
    "typeHandlerVersion": "1.0"
  }
}

14. Just-In-Time Access

{
  "type": "Microsoft.Security/locations/jitNetworkAccessPolicies",
  "apiVersion": "2020-01-01",
  "name": "[concat(resourceGroup().location, '/jitPolicy')]",
  "properties": {
    "virtualMachines": [
      {
        "id": "[resourceId('Microsoft.Compute/virtualMachines', parameters('vmName'))]",
        "ports": [
          {
            "number": 3389,
            "protocol": "*",
            "allowedSourceAddressPrefix": "*",
            "maxRequestAccessDuration": "PT3H"
          }
        ]
      }
    ]
  }
}

15. Defender for Cloud

{
  "type": "Microsoft.Security/pricings",
  "apiVersion": "2023-01-01",
  "name": "VirtualMachines",
  "properties": {
    "pricingTier": "Standard"
  }
}

16. Load Balancer Integration

"loadBalancerBackendAddressPools": [
  {
    "id": "[resourceId('Microsoft.Network/loadBalancers/backendAddressPools', 'vm-lb', 'BackendPool')]"
  }
]

17. Private Endpoint

{
  "type": "Microsoft.Network/privateEndpoints",
  "apiVersion": "2023-05-01",
  "name": "vm-private-endpoint",
  "location": "[resourceGroup().location]",
  "properties": {
    "subnet": {
      "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', 'vnet', 'private')]"
    },
    "privateLinkServiceConnections": [
      {
        "name": "vm-connection",
        "properties": {
          "privateLinkServiceId": "[resourceId('Microsoft.Compute/virtualMachines', parameters('vmName'))]",
          "groupIds": [ "nic" ]
        }
      }
    ]
  }
}

18. Auto-Shutdown

{
  "type": "Microsoft.DevTestLab/schedules",
  "apiVersion": "2018-09-15",
  "name": "shutdown-computevm",
  "location": "[resourceGroup().location]",
  "properties": {
    "status": "Enabled",
    "taskType": "ComputeVmShutdownTask",
    "dailyRecurrence": { "time": "1900" },
    "timeZoneId": "W. Europe Standard Time",
    "targetResourceId": "[resourceId('Microsoft.Compute/virtualMachines', parameters('vmName'))]"
  }
}

19. Spot VM

"priority": "Spot",
"evictionPolicy": "Deallocate",
"billingProfile": {
  "maxPrice": -1
}

20. Azure Hybrid Benefit

"licenseType": "Windows_Server"

21. Dedicated Host

"host": {
  "id": "[resourceId('Microsoft.Compute/hosts', 'myHostGroup', 'myHost')]"
}

22. Backup

{
  "type": "Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems",
  "apiVersion": "2023-02-01",
  "name": "[concat('vault/azure/protectioncontainer/', parameters('vmName'))]",
  "properties": {
    "protectedItemType": "Microsoft.Compute/virtualMachines",
    "policyId": "[resourceId('Microsoft.RecoveryServices/vaults/backupPolicies', 'vault', 'DefaultPolicy')]"
  }
}

23. Update Management

{
  "type": "Microsoft.Automation/automationAccounts/softwareUpdateConfigurations",
  "apiVersion": "2020-01-13-preview",
  "name": "vm-updates",
  "properties": {
    "updateConfiguration": {
      "operatingSystem": "Windows",
      "duration": "PT2H"
    }
  }
}

24. Azure Compute Gallery

"imageReference": {
  "id": "[resourceId('Microsoft.Compute/galleries/images/versions', 'myGallery', 'myImage', '1.0.0')]"
}

25. VM Scale Sets (VMSS)

{
  "type": "Microsoft.Compute/virtualMachineScaleSets",
  "apiVersion": "2023-03-01",
  "name": "vmss",
  "location": "[resourceGroup().location]",
  "sku": {
    "name": "D4s_v5",
    "capacity": 2
  }
}

26. WinRM Configuration

"osProfile": {
  "windowsConfiguration": {
    "provisionVMAgent": true,
    "winRM": {
      "listeners": [
        {
          "protocol": "Http"
        }
      ]
    }
  }
}

27. Guest Configuration Policies

{
  "type": "Microsoft.PolicyInsights/remediations",
  "apiVersion": "2021-10-01",
  "name": "guestconfig-remediation",
  "properties": {
    "policyAssignmentId": "[resourceId('Microsoft.Authorization/policyAssignments', 'guestConfigAssignment')]"
  }
}

28. Trusted Launch (Secure Boot, vTPM, Integrity Monitoring)

Trusted Launch protects against firmware-level attacks and rootkits.

Enable Trusted Launch

"securityProfile": {
  "securityType": "TrustedLaunch",
  "uefiSettings": {
    "secureBootEnabled": true,
    "vTpmEnabled": true
  }
}

Enable Integrity Monitoring

{
  "type": "Microsoft.Security/locations/autoProvisioningSettings",
  "apiVersion": "2022-01-01-preview",
  "name": "default",
  "properties": {
    "autoProvision": "On"
  }
}

29. Confidential Computing (AMD SEV‑SNP / Intel TDX)

Enable Confidential VM Mode

"securityProfile": {
  "securityType": "ConfidentialVM",
  "uefiSettings": {
    "secureBootEnabled": true,
    "vTpmEnabled": true
  }
}

Confidential Disk Encryption

"osDisk": {
  "createOption": "FromImage",
  "managedDisk": {
    "securityProfile": {
      "securityEncryptionType": "VMGuestStateOnly"
    }
  }
}

30. Additional Security Hardening Settings

Patch Orchestration

"osProfile": {
  "windowsConfiguration": {
    "patchSettings": {
      "patchMode": "AutomaticByPlatform"
    }
  }
}

Host Firewall Enforcement

{
  "type": "Microsoft.Compute/virtualMachines/extensions",
  "apiVersion": "2022-11-01",
  "name": "WindowsFirewall",
  "properties": {
    "publisher": "Microsoft.Compute",
    "type": "CustomScriptExtension",
    "typeHandlerVersion": "1.10",
    "settings": {
      "commandToExecute": "powershell.exe -Command \"Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True\""
    }
  }
}

31. Resource Locks (CanNotDelete & ReadOnly)

Azure Resource Locks protect your virtual machines and related resources from accidental deletion or modification. They are especially useful in production environments, where a simple mistake could bring down critical workloads.
Azure supports two lock types CanNotDelete and ReadOnly

Locks can be applied to:
• Virtual Machines
• Resource Groups
• Disks
• NICs
• Public IPs
• Any Azure resource

Add a CanNotDelete Lock to a VM

{
“type”: “Microsoft.Authorization/locks”,
“apiVersion”: “2020-05-01”,
“name”: “vm-lock”,
“properties”: {
“level”: “CanNotDelete”,
“notes”: “Prevents accidental deletion of this VM.”
}
}

Add a Lock to a Disk (recommended for production)

{
“type”: “Microsoft.Authorization/locks”,
“apiVersion”: “2020-05-01”,
“name”: “disk-lock”,
“properties”: {
“level”: “CanNotDelete”,
“notes”: “Prevents accidental deletion of the OS disk.”
},
“scope”: “[resourceId(‘Microsoft.Compute/disks’, concat(parameters(‘vmName’), ‘-osdisk’))]”
}

Final Thoughts

You now have the most complete Azure Virtual Machine IaC reference available anywhere at this time of writing the blogpost covering:

Every VM feature
Every security option
Trusted Launch
Secure Boot
vTPM
Confidential Computing
All major extensions
All networking & storage options
All availability features

Here you find more information on Microsoft docs with examples

Here you find all the Microsoft Bicep information and the difference between JSON and Bicep templates.

Here you find Microsoft Azure Virtual Machine Baseline Architecture

Are all the JSON examples fully functional and tested in Azure?

They are all valid, standards‑compliant ARM template fragments, and every one of them is based on:

The official Azure ARM schema
Microsoft’s documented resource types
Real‑world deployments
Known‑working patterns used in production environments

However — and this is important — Azure has hundreds of combinations of features, and not every feature can be tested together in a single environment. So here’s the breakdown:

Fully functional & deployable as‑is

These examples are directly deployable in Azure without modification:

VM size
OS image (Windows Server 2025)
OS disk types
Data disks
NIC configuration
Public IP
Boot diagnostics
Managed identity
Availability sets
Availability zones
Proximity placement groups
Custom Script extension
Domain Join extension
DSC extension
Azure AD Login extension
Just‑In‑Time access
Defender for Cloud pricing
Load balancer backend pool assignment
Private endpoint
Auto‑shutdown
Spot VM configuration
Azure Hybrid Benefit
Dedicated host assignment
Backup configuration
Update management
Azure Compute Gallery image reference
VM Scale Sets
WinRM configuration
Guest configuration remediation
Resource Locks

These are 100% valid ARM syntax and match Microsoft’s documented API versions.

Fully valid, but require environment‑specific resources

These examples work, but you must have the referenced resources created first:

Disk Encryption Set (CMK)

"diskEncryptionSet": {
  "id": "[resourceId('Microsoft.Compute/diskEncryptionSets', 'myDiskEncSet')]"
}

Requires a Disk Encryption Set + Key Vault.

Backup

Requires a Recovery Services Vault + Backup Policy.

Domain Join

Requires a reachable domain controller + correct credentials.

Private Endpoint

Requires a Private Link Service target.

Update Management

Requires an Automation Account.

These are still fully functional, but they depend on your environment.

Trusted Launch & Confidential Computing

These are valid ARM configurations, but:

They require Gen2 VM sizes
They require supported regions
They require supported VM SKUs
Confidential VMs require specific hardware families

The JSON is correct, but Azure enforces compatibility rules.

For example:

"securityProfile": {
  "securityType": "TrustedLaunch",
  "uefiSettings": {
    "secureBootEnabled": true,
    "vTpmEnabled": true
  }
}

This works only on Gen2 VMs.

And:

"securityType": "ConfidentialVM"

Works only on:

DCasv5
ECasv5
DCesv5
ECesv5

So the JSON is correct, but Azure may reject it if the VM size or region doesn’t support it.

Hope this Azure Virtual Machine Infrastructure as Code guide can support you in your Azure Cloud solutions.

All the Microsoft Azure Virtual Machine features and options today.

mountainss Cloud and Datacenter Management Blog

Windows Admin Center 2511 Build 2.5.1.49 (Preview) and Security of Windows Server

Windows Admin Center Secured-core server view

The latest Windows Admin Center (WAC) release, version 2511 (November 2025, public preview), introduces refreshed management tools and deeper integration with modern Windows security features like Secure Boot, TPM 2.0, Kernel DMA Protection, Virtualization‑based Security (VBS), and OSConfig baselines for Windows Server.

Secured-core is a collection of capabilities that offers built-in hardware, firmware, driver and operating system security features. The protection provided by Secured-core systems begins before the operating system boots and continues whilst running. Secured-core server is designed to deliver a secure platform for critical data and applications.

Secured-core server is built on three key security pillars:

Creating a hardware backed root of trust.
Defense against firmware level attacks.
Protecting the OS from the execution of unverified code.

Windows Admin Center 2511: Security Meets Modern Management

Windows Admin Center has steadily evolved into the preferred management platform for Windows Server and hybrid environments. With the 2511 build now in public preview, Microsoft continues to refine the experience for IT administrators, blending usability improvements with defense‑in‑depth security Microsoft Community.

Security Features at the Core

What makes this release stand out is how WAC aligns with the latest Windows security stack. Let’s break down the highlights:

OSConfig Security Baselines
WAC now integrates baseline enforcement, ensuring servers adhere to CIS Benchmarks and DISA STIGs. Drift control automatically remediates deviations, keeping configurations locked to secure defaults. ( I like this one!)
Hardware‑based Root of Trust
Through TPM 2.0 and System Guard, WAC can validate boot integrity. This means admins can remotely attest that servers started securely, free from tampering.
Kernel DMA Protection
Thunderbolt and USB4 devices are notorious vectors for DMA attacks. WAC surfaces configuration and compliance checks, ensuring IOMMU‑based protection is active.
Secure Boot Management
OEM Secure Boot policies are visible and manageable, giving admins confidence that only signed, trusted firmware and drivers load during startup.
Virtualization‑based Security (VBS)
WAC exposes controls for enabling VBS and Memory Integrity (HVCI). These features isolate sensitive processes in a hypervisor‑protected environment, blocking unsigned drivers and kernel exploits.

Windows Server security baseline not yet implemented as you can see

What’s New in Build 2511

Beyond security, version 2511 delivers refinements to the virtual machines tool, installer improvements, and bug fixes. Combined with the backend upgrade to .NET 8 in the earlier 2410 GA release, WAC is faster, more reliable, and better equipped for enterprise workloads.

Why It Matters

In today’s hybrid IT landscape, security and manageability must coexist. Windows Admin Center 2511 demonstrates Microsoft’s commitment to:

Unified management: One pane of glass for servers, clusters, and Azure Arc‑connected resources.
Compliance assurance: Built‑in baselines reduce audit headaches.
Future‑proof security: Hardware‑rooted trust and virtualization‑based isolation protect against evolving threats.

Final Thoughts

If you’re an IT admin preparing for Windows Server 2025 deployments, the new Windows Admin Center build is more than just a management tool—it’s a security enabler. By weaving in Secure Boot, TPM, DMA protection, and VBS, WAC ensures that your infrastructure isn’t just easier to manage, but fundamentally harder to compromise.

Here you find the Microsoft docs :

What is Secured-core server for Windows Server | Microsoft Learn

OSConfig overview for Windows Server | Microsoft Learn

How System Guard helps protect Windows | Microsoft Learn

Kernel DMA Protection | Microsoft Learn

Secure boot | Microsoft Learn

Trusted Plaform Module (TPM) 2.0 | Microsoft Learn

Virtualization-based Security (VBS) | Microsoft Learn

Enable memory integrity | Microsoft Learn

What is Windows Admin Center Virtualization Mode (Preview)?

Windows Admin Center Virtualization Mode is a purpose-built management experience for virtualization infrastructure. It enables IT professionals to centrally administer Hyper-V hosts, clusters, storage, and networking at scale.

Unlike administration mode, which focuses on general system management, Virtualization Mode focuses on fabric management. It supports parallel operations and contextual views for compute, storage, and network resources. This mode is optimized for large-scale, cluster-based environments and integrates lifecycle management, global search, and role-based access control.

Virtualization Mode offers the following key capabilities:

Search across navigation objects with contextual filtering.
Support for SAN, NAS, hyperconverged, and scale-out file server architectures.
VM templates, integrated disaster recovery with Hyper-V Replica, and onboarding of Arc-enabled resources (future capability).
Software-defined storage and networking (not available at this time).

Install Windows Admin Center Virtualization Mode

Test all these New features of Windows Admin Center and Windows Server in your test environment and be ready for production when it becomes general available. Download Windows Admin Center 2511 Preview here

mountainss Cloud and Datacenter Management Blog

Windows Server 2025 Core and Docker – A Modern Container Host Architecture

As businesses race toward cloud-native infrastructure and microservices, Windows Server 2025 Core emerges as a lean, powerful platform for hosting Docker containers. With its minimal footprint and robust security posture, Server Core paired with Docker offers a compelling solution for modern application deployment.

Architecture Design: Windows Server Core + Docker

Windows Server 2025 Core is a headless, GUI-less version of Windows Server designed for performance and security. When used as a Docker container host, it provides:

Lightweight OS footprint: Reduces attack surface and resource consumption.
Hyper-V isolation: Enables secure container execution with kernel-level separation.
Support for Nano Server and Server Core images: Ideal for running Windows-based microservices.
Integration with Azure Kubernetes Service (AKS): Seamless orchestration in hybrid environments.

Key Components

Component	Role in Architecture
Windows Server 2025 Core	Host OS with minimal services
Docker Engine	Container runtime for managing containers
Hyper-V	Optional isolation layer for enhanced security
PowerShell / CLI Tools	Management and automation
Windows Admin Center	GUI-based remote management

Installation Guide

Setting up Docker on Windows Server 2025 Core is straightforward but requires precision. Here’s a simplified walkthrough:

Windows Server 2025 Datacenter Core running

Install Required Features

Use PowerShell to install Hyper-V and Containers features:

Install-WindowsFeature -Name Hyper-V, Containers -IncludeManagementTools -Restart

Install Docker

Download and install Docker from the official source or use the PowerShell script provided by Microsoft:

Invoke-WebRequest “https://download.docker.com/win/static/stable/x86_64/docker-28.4.0.zip” -OutFile “docker.zip”

Unzip and configure Docker as a service:

at Docker directory to your path

Add the Docker config directory

Set the daemon

Create the Docker Service

net start docker

docker version

Docker Host on Windows Server 2025 Core is Installed

Configure Networking

Ensure proper NAT or transparent networking for container communication.

Pull Base Images

Use Docker CLI to pull Windows container images:

docker pull mcr.microsoft.com/windows/servercore:ltsc2025

Test Deployment

Run a sample Windows Server 2025 core container:

docker run -it mcr.microsoft.com/windows/servercore:ltsc2025

Inside the Windows Server 2025 Core Container on the Docker host.

Best Practices

To maximize reliability, security, and scalability:

Use Hyper-V isolation for sensitive workloads.
Automate deployments with PowerShell scripts or CI/CD pipelines.
Keep base images updated to patch vulnerabilities.
Monitor containers using Azure Arc monitoring or Windows Admin Center.
Limit container privileges and avoid running as Administrator.
Use volume mounts for persistent data storage.

Conclusion: Why It Matters

For developers, Windows Server 2025 Core with Docker offers:

Fast iteration cycles with isolated environments.
Consistent dev-to-prod workflows using container images.
Improved security with minimal OS footprint and Hyper-V isolation.

For businesses, the benefits are even broader:

Reduced infrastructure costs via efficient resource usage.
Simplified legacy modernization by containerizing Windows apps.
Hybrid cloud readiness with Azure integration and Kubernetes support.
Scalable architecture for microservices and distributed systems.

Windows Server 2025 Core isn’t just a server OS—it’s a launchpad for modern, secure, and scalable containerized applications. Whether you’re a developer building the next big thing or a business optimizing legacy systems, this combo is worth the investment.

Integrating Azure Arc into the Windows Server 2025 Core + Docker Architecture for Adaptive Cloud

Overview

Microsoft Azure Arc extends Azure’s control plane to your on-premises Windows Server 2025 Core container hosts. By onboarding your Server Core machines as Azure Arc–enabled servers, you gain unified policy enforcement, monitoring, update management, and GitOps-driven configurations—all while keeping workloads close to the data and users.

Architecture Extension

Azure Connected Machine Agent
Installs on Windows Server 2025 Core as a Feature on Demand, creating an Azure resource that represents your physical or virtual machine in the Azure portal.
Control Plane Integration
Onboarded servers appear in Azure Resource Manager (ARM), letting you apply Azure Policy, role-based access control (RBAC), and tag-based cost tracking.
Hybrid Monitoring & Telemetry
Azure Monitor collects logs and metrics from Docker Engine, container workloads, and host-level performance counters—streamlined into your existing Log Analytics workspaces.
Update Management & Hotpatching
Leverage Azure Update Manager to schedule Windows and container image patches. Critical fixes can even be applied via hotpatching on Arc-enabled machines without a reboot.
GitOps & Configuration as Code
Use Azure Arc–enabled Kubernetes to deploy container workloads via Git repositories, or apply Desired State Configuration (DSC) policies to Server Core itself.

Adaptive Cloud Features Enabled

Centralized Compliance
Apply Azure Policies to enforce security baselines across every Docker host, ensuring drift-free configurations.
Dynamic Scaling
Trigger Azure Automation runbooks or Logic Apps when performance thresholds are breached, auto-provisioning new container hosts.
Unified Security Posture
Feed security alerts from Microsoft Defender for Cloud into Azure Sentinel, correlating threats across on-prem and cloud.
Hybrid Kubernetes Orchestration
Extend AKS clusters to run on Arc-connected servers, enabling consistent deployment pipelines whether containers live on Azure or in your datacenter.

More information about Innovate on an Adaptive Cloud here

Integration Walkthrough

Prepare your Server Core host (ensure Hyper-V, Containers, and Azure Arc Feature on Demand are installed).
Install Azure Arc agent via Azure PowerShell
In the Azure portal, navigate to Azure Arc > Servers, and verify your machine is onboarded.
Enable Azure Policy assignments, connect to a Log Analytics workspace, and turn on Update Management.
(Optional) Deploy the Azure Arc GitOps operator for containerized workloads across hybrid clusters.

Visualizing Azure Arc in Your Diagram

Above your existing isometric architecture, add a floating “Azure Cloud Control Plane” layer that includes:

ARM with Policy assignments
Azure Monitor / Log Analytics
Update Manager + Hotpatch service
GitOps repo integrations

Draw data and policy-enforcement arrows from this Azure layer down to your Windows Server Core “building,” Docker cube, container workloads, and Hyper-V racks—demonstrating end-to-end adaptive management.

Why It Matters

Integrating Azure Arc transforms your static container host into an adaptive cloud-ready node. You’ll achieve:

Consistent governance across on-prem and cloud
Automated maintenance with zero-downtime patching
Policy-driven security at scale
Simplified hybrid Kubernetes and container lifecycle management

With Azure Arc, your Windows Server 2025 Core and Docker container hosts become full citizens of the Azure ecosystem—securing, monitoring, and scaling your workloads wherever they run.

Better Together

mountainss Cloud and Datacenter Management Blog

Unlocking Tomorrow’s Infrastructure Today: How the Windows Server Insider Program Powers Enterprise Innovation

Windows Server 2025 Insider Preview Build 26433 Datacenter Edition

In a digital era where agility, security, and resilience define success, enterprises are constantly seeking ways to future-proof their IT infrastructure. Enter the Windows Server Insider Program — a gateway into the future of Windows Server, offering IT professionals and enterprise architects a unique head-start in shaping and testing tomorrow’s server technologies.

What Is the Windows Server Insider Program?

At its core, the Windows Server Insider Program is Microsoft’s early-access platform for organizations and individuals eager to test pre-release versions of Windows Server. It allows IT departments to explore upcoming features, evaluate improvements, and provide feedback well before general availability — all while aligning their roadmap with Microsoft’s evolving ecosystem.

Strategic Benefits for Enterprise Businesses

Early Access to Innovation

Being the first to test new builds offers a strategic advantage. Enterprises can evaluate enhancements such as improved virtualization support, deeper integration with Azure services, and security updates, giving them ample lead time to plan deployments and migrations.

Security Readiness

With constantly evolving cybersecurity threats, security must be proactive, not reactive. Insider builds often preview cutting-edge security features, like Just-in-Time administration and advanced auditing, enabling security teams to assess and incorporate them into enterprise policies early on.

Operational Efficiency through Feedback

Insiders are encouraged to report issues, suggest enhancements, and contribute to the design process. Enterprises that participate become co-creators in shaping Windows Server — turning feedback into business-aligned features that improve workflows and infrastructure performance.

Skills Development and Training

IT professionals gain first-hand experience with upcoming technologies, enhancing team expertise and preparing staff for smoother transitions during official releases. This becomes a valuable part of enterprise L&D strategies, minimizing learning curves and avoiding costly deployment surprises.

Better Long-Term Planning

Access to Insider builds allows enterprises to assess hardware compatibility, benchmark performance, and refine internal tools or scripts, reducing friction during upgrades or cloud migrations.

Real-World Scenario: Testing Hybrid Flexibility

Imagine an enterprise planning a hybrid infrastructure strategy using Azure Arc and on-prem Windows Server. By experimenting with preview builds, they can test hybrid management policies, refine group configurations, and validate security baselines — all without impacting production environments.

How to Get Started

Enrollment is straightforward. Enterprises can sign up using their Microsoft account and download the latest Insider builds from the Windows Server Insider Preview portal.

Final Thoughts

In enterprise tech, innovation waits for no one. The Windows Server Insider Program offers more than just access — it’s a strategic lever for proactive IT leadership. By embracing this program, organizations gain the insight, influence, and preparedness to lead in the evolving digital landscape.

If your enterprise hasn’t joined yet, now might be the best time to get ahead of the curve — because the future of infrastructure isn’t just about adopting change. It’s about helping build it.

mountainss Cloud and Datacenter Management Blog

Unleashing the Future Windows Server 2025 Hyper‑V Virtualization & Advanced Security

Unleashing the Future: Windows Server 2025’s Hyper‑V Virtualization & Advanced Security

Microsoft Windows Server 2025 is rewriting the playbook on enterprise virtualization. With its Hyper‑V solution at the core, it delivers not only powerful computing and storage capabilities but also a resilient security foundation that addresses today’s rapidly evolving threat landscape. In this post, we’ll explore the architectural advances, enhanced virtualization features, and robust security mechanisms baked into this release.

Hyper‑V in Windows Server 2025: A New Paradigm in Virtualization

A Strategic and Integrated Platform

Hyper‑V remains Microsoft’s flagship hardware virtualization technology—now scaled to meet modern data center demands. In Windows Server 2025, Hyper‑V serves as the backbone for a wide array of Microsoft solutions, from on‑premises infrastructures to cloud integrations via Azure and Azure Arc. This unified approach ensures seamless orchestration across hybrid environments, providing flexibility and cost efficiencies to businesses switching between workloads on Windows Server Standard and Datacenter editions. Notably, while the Standard edition grants licensing rights to run two Windows Server guest operating systems, the Datacenter edition offers unlimited virtualization rights, empowering enterprises with a dramatic boost in scalability.

Virtual Machines Optimized for Modern Workloads

Hyper‑V’s modern enhancements are not just about quantity but also quality. The solution supports a diverse catalog of guest operating systems—including not only Windows but also leading Linux distributions such as Red Hat Enterprise Linux, CentOS, Debian, Oracle Linux, SUSE, and Ubuntu, with integration services natively updated within the Linux kernel. Even FreeBSD gets its own integration enhancements for improved performance. By offering this extensive compatibility, Microsoft ensures that organizations can integrate heterogeneous environments without sacrificing performance or support.

Innovative Tools and Performance Enhancements

Windows Server 2025 embraces innovative management and performance tools:

DTrace Integration: A native tool for dynamic system instrumentation, DTrace’s inclusion allows administrators to conduct real‑time performance monitoring and troubleshooting at both the kernel and user levels without modifying source code.
Storage and Networking Virtualization: Integrated with technologies like Software‑Defined Storage (Storage Spaces Direct) and Software‑Defined Networking (SDN), Hyper‑V enables efficient resource utilization across modern storage infrastructures—whether local, SAN, or hyperconverged solutions. SDN Multisite allows you to expand the capabilities of traditional SDN deployed at different physical locations. SDN Multisite enables native Layer 2 and Layer 3 connectivity across different physical locations for virtualized workloads
Enhanced Desktop Integration and Hybrid Cloud Capabilities: The new desktop shell and advanced upgrade paths from previous Windows Server versions ensure a smooth transition, bolstering both administrative efficiency and user experience.

Together, these capabilities position Hyper‑V as a strategic tool in the IT arsenal of enterprises worldwide.

Fortifying Infrastructure with Advanced Security

Multilayered Security Architecture

On the security front, Windows Server 2025 represents a major leap forward. At a time when cyber threats are increasingly sophisticated, Microsoft has embedded multiple security layers directly into the operating system. Hyper‑V plays a central role in virtualization‑based security (VBS), where hardware virtualization creates isolations that serve as roots of trust—from the hypervisor to the kernel. This design reduces the attack surface significantly, even if core components are compromised.

Active Directory and SMB Improvements

Primary security staples such as Active Directory have seen significant security enhancements. New protocols, improved encryption standards, and hardened configurations offer a resilient defense against credential-based attacks. In addition, file sharing services in Windows Server 2025 benefit from SMB hardening techniques, including support for SMB over QUIC. This ensures that file sharing remains secure against man‑in‑the‑middle attacks, brute force attempts, and spoofing threats while providing seamless access over the internet.

Delegate Managed Service Accounts (dMSA)

Microsoft has also overhauled the approach to service identity management. By introducing delegate Managed Service Accounts (dMSA), Windows Server 2025 eliminates the need for manual password management on service accounts. This automated process not only simplifies administrative overhead but also tightens security by ensuring that every account has the minimal privileges required—and every access is logged for better accountability.

Hotpatching: Zero‑Downtime Security Updates

Among the innovations, hot patching stands out as a “game changer.” In traditional systems, applying security patches often necessitated reboots—a disruptive process in today’s always‑on environments. Windows Server 2025 now supports hot patching, enabling administrators to apply updates to live systems without interruption. By leveraging Azure Arc, Windows Server 2025 brings a level of agility to on‑premises deployments similar to that found in cloud environments. It’s important to note, however, that for on‑premises solutions, hot patching is currently offered under a paid subscription model, while Azure customers get this capability as part of standard service offerings.

Hotpatch process

Bridging Cloud and On‑Premises with Seamless Integration

Hybrid Cloud Flexibility

Windows Server 2025’s hybrid cloud capabilities offer the best of both worlds. When integrated with Microsoft Azure Arc, Hyper‑V not only extends its virtualization benefits but also ensures that on‑premises deployments continuously receive cutting‑edge cloud agility. This seamless integration paves the way for dynamic scaling, improved disaster recovery, and unified management across multi‑cloud environments.

Cost Efficiency and Licensing Strategies

The licensing approach is designed with flexibility in mind. Whether you opt for the Standard edition or embrace the unlimited potential of the Datacenter edition, you receive enterprise‑grade virtualization at no additional cost for Hyper‑V. This cost model proves particularly attractive for organizations extending their operations to include Linux guests or multiple virtualized servers, streamlining operational costs without compromising security or performance.
Here you find more about Comparison of Windows Server editions.

Conclusion

Microsoft Windows Server 2025, with its powerhouse Hyper‑V virtualization solution, redefines how enterprises approach infrastructure management in an era of constant digital transformation. By combining advanced virtualization techniques with multilayered security features—ranging from VBS to hot patching—this release is a testament to Microsoft’s commitment to high performance and resilient, adaptive security.

For IT professionals eager to modernize their data centers and streamline hybrid cloud deployments, exploring the latest improvements in Hyper‑V and the overarching security framework in Windows Server 2025 is not just recommended—it’s imperative.

If you’re looking to experiment with these features and integrate them into your infrastructure, consider diving deeper into hot patching subscription details, exploring Linux guest integrations, or even benchmarking Hyper‑V performance against legacy virtualization systems. Each step uncovers further opportunities to optimize and secure your IT environment for the future.

JOIN the Microsoft Windows Server Insider Program

Test and Innovate with the New Windows Server Insider features!
It’s Awesome and Hyper-V Rocks

mountainss Cloud and Datacenter Management Blog

Install Microsoft Windows Server 2025 Insider Preview Build 26360

Try Now!

Windows Server 2025 Insider Preview Build 26360

Exploring the Latest Features in Microsoft Windows Server Insider Preview Builds

Microsoft’s Windows Server Insider Preview Builds are a treasure trove of innovation and advanced features designed to enhance performance, security, and flexibility for IT professionals. Today, we’re diving into the latest updates and new features introduced in the Windows Server 2025 Insider Preview Build.
Here you find more on What’s New in Microsoft Windows Server 2025

Here are some Highlights of new Windows Server 2025 Insider Preview features:

Enhanced Security with Delegated Managed Service Accounts (dMSA)

One of the standout features in this build is the introduction of Delegated Managed Service Accounts (dMSA). This new account type allows for migration from traditional service accounts to machine accounts with managed and fully randomized keys. By linking authentication to the device identity, dMSA helps prevent credential harvesting through compromised accounts, a common issue with traditional service accounts.

Windows Admin Center (WAC) Integration

Starting with this build, users can now download and install the Windows Admin Center (WAC) directly from the Windows Server Desktop. This in-OS app simplifies the installation process and provides a seamless experience for managing your server infrastructure.

Bluetooth Connectivity

Windows Server 2025 now supports Bluetooth connectivity, allowing users to connect mice, keyboards, headsets, and other peripherals directly to the server. This feature enhances flexibility and convenience for server management.

DTrace for Real-Time Performance Monitoring

The new build includes DTrace, a powerful command-line utility that enables real-time performance monitoring and troubleshooting. DTrace allows users to dynamically instrument both kernel and user-space code without modifying the code itself, supporting a range of data collection and analysis techniques.

Improved Upgrade Experience

Upgrading to Windows Server 2025 has never been easier. The build supports in-place upgrades from Windows Server 2012 R2 and later versions, allowing you to upgrade up to four versions at a time. This streamlined upgrade process ensures a smooth transition to the latest server version.

Feedback Hub for User Input

The new Feedback Hub app is now available for Server Desktop users. This app allows users to submit feedback or report issues directly to Microsoft, helping the development team understand user experiences and improve future builds.

SMB over QUIC and Alternative Ports

The build introduces SMB over QUIC with support for alternative ports. This feature enhances security and performance by allowing SMB traffic to use custom-defined ports instead of the default UDP/443 port.

Enhanced Desktop Experience

When you sign in for the first time, the desktop shell experience now conforms to the style and appearance of Windows 11. This visual update provides a familiar and modern interface for server administrators.

These new features and enhancements in the Windows Server 2025 Insider Preview Build demonstrate Microsoft’s commitment to providing cutting-edge solutions for IT professionals. Whether you’re looking to improve security, streamline management, or enhance performance, the latest Windows Server Insider Preview Build has something to offer.

Stay tuned for more updates and features as Microsoft continues to innovate and improve its server offerings.

Conclusion:

Become a Microsoft Windows Server Insider and get all the newest features first to play with it in your test environment.

Get started here and register for free

mountainss Cloud and Datacenter Management Blog

Deploy Windows Server 2025 security baselines locally with OSConfig

Install-Module -Name Microsoft.OSConfig -Scope AllUsers -Repository PSGallery -Force

The security baselines can be configured through PowerShell, Windows Admin Center, and Azure Policy. The OSConfig tool is a security configuration stack that uses a scenario-based approach to deliver and apply the desired security measures for your environment. The security baselines throughout the device life cycle can be applied using OSConfig starting from the initial deployment process.

To verify that the OSConfig module is installed, run the following command:
Get-Module -ListAvailable -Name Microsoft.OSConfig

Here we check the Baseline Security Compliance:
Get-OSConfigDesiredConfiguration -Scenario SecurityBaseline/WS2025/MemberServer | ft Name, @{ Name = “Status”; Expression={$_.Compliance.Status} }, @{ Name = “Reason”; Expression={$_.Compliance.Reason} } -AutoSize -Wrap

You will see that the Security Baseline is not Complaint.

Set-OSConfigDesiredConfiguration -Scenario SecurityBaseline/WS2025/MemberServer -Default

Get-OSConfigDesiredConfiguration -Scenario SecurityBaseline/WS2025/MemberServer

Now we do the Security Baseline Compliance Check again:

Get-OSConfigDesiredConfiguration -Scenario SecurityBaseline/WS2025/MemberServer | ft Name, @{ Name = “Status”; Expression={$_.Compliance.Status} }, @{ Name = “Reason”; Expression={$_.Compliance.Reason} } -AutoSize -Wrap

Conclusion

With OSConfig you can set the default of Microsoft Security Baseline in a quick way. It’s important to test everything first in a test environment before you set these settings in production. Here you find more information on GitHub

You can make also your own custom Security Baselines with OSConfig.

Keep your Microsoft Security Baseline up-to-date

OSConfig Overview

mountainss Cloud and Datacenter Management Blog

Windows Server 2025: Highlights of what’s new in security, hybrid cloud, and performance

Windows Server 2025 is here! Discover the latest features including hotpatching, next-generation Active Directory, easier onboarding to Azure Arc for hybrid and multi-cloud management, and a simplified upgrade process.

What’s New in Microsoft Windows Server 2025

Go to Microsoft evaluation center and try Windows Server 2025 yourself

mountainss Cloud and Datacenter Management Blog

Microsoft Windows Server 2025 is available and System Center 2025

Windows Server 2025 and SystemCenter 2025 available!

Windows Server 2025 and System Center 2025: A New Era of IT Management

Microsoft has officially launched Windows Server 2025 and System Center 2025, marking a significant milestone in the evolution of IT infrastructure management. These releases bring a host of new features and enhancements designed to improve security, performance, and manageability for both on-premises and hybrid cloud environments.

Windows Server 2025: Key Features and Enhancements

Advanced Security Features: Windows Server 2025 introduces several security enhancements, including Credential Guard, which is now enabled by default to protect against credential theft attacks. The new Active Directory functionalities offer improved security for confidential attributes and default machine account passwords.
Hybrid Cloud Capabilities: With hotpatching enabled by Azure Arc, Windows Server 2025 allows for seamless updates without requiring reboots, minimizing downtime and enhancing operational efficiency. This feature is particularly beneficial for organizations operating in hybrid cloud environments.
Performance Improvements: Windows Server 2025 delivers up to 60% more storage IOPs performance compared to its predecessor, thanks to NVMe storage performance enhancements. Additionally, the introduction of block cloning support provides significant performance benefits when copying files.
User Experience Enhancements: The new Desktop shell in Windows Server 2025 adopts the Windows 11 look and feel, supporting features like Bluetooth mice and keyboards, 7z and TAR compression formats, and the new Task Manager.

System Center 2025: Streamlined Management

Infrastructure Modernization: System Center 2025 supports the latest Windows Server version from Day 0, providing management and monitoring capabilities for Azure Stack HCI 23H2 clusters. This ensures that organizations can manage heterogeneous infrastructure with a single management plane.
Enhanced Security: System Center 2025 includes support for Transport Layer Security (TLS) version 1.3, ensuring that all data transmissions are protected by the latest encryption standards. Additionally, Data Protection Manager (DPM) 2025 introduces the capability to securely store passphrases in Azure Key Vault.
Improved Automation and Monitoring: System Center Orchestrator allows for efficient creation and execution of runbooks using native PowerShell scripts, while System Center Operations Manager provides comprehensive monitoring of health, capacity, and usage across applications and infrastructure.
Backup and Disaster Recovery: DPM 2025 offers flexible and efficient data protection strategies, including the ability to exclude specific disks from backups in Hyper-V environments. This ensures that organizations can tailor their backup solutions to meet their specific needs.

Conclusion

The release of Windows Server 2025 and System Center 2025 represents a significant advancement in IT infrastructure management. With enhanced security, improved performance, and robust hybrid cloud capabilities, these new versions are set to empower organizations to achieve greater efficiency and agility in their operations. Whether you’re managing on-premises servers or hybrid cloud environments, Windows Server 2025 and System Center 2025 provide the tools and features needed to stay ahead in the ever-evolving world of IT.

For more detailed information, you can visit the official Microsoft blog.

Don’t forget Microsoft Ignite Global Event

mountainss Cloud and Datacenter Management Blog

Unveiling Windows Server 2025 Insider Preview Build 26311 – Security and New Features!

Downloading Windows Server 2025 Insider Preview Build 26311

Microsoft has recently rolled out the latest Windows Server 2025 Insider Preview Build 26311, and it’s packed with enhancements that promise to elevate your server management experience. Let’s dive into the key features and security improvements that make this build a must-try for IT professionals and enthusiasts alike. Use this in test environment only until Windows Server 2025 is GA

Enhanced Security with Windows Defender Application Control (WDAC)

One of the standout features in this build is the Windows Defender Application Control for Business (WDAC). This software-based security layer significantly reduces the attack surface by enforcing a strict list of permitted software.

With WDAC, administrators can apply a Microsoft-defined default policy via PowerShell cmdlets, ensuring only trusted applications run on their servers.
This feature is powered by the OSconfig security configuration platform, which streamlines the process of maintaining a secure server environment.

Windows Server 2025 Security Baseline Preview

Security is further bolstered with the Windows Server 2025 Security Baseline Preview. This feature allows administrators to configure their servers with a recommended security posture right from the start

With over 350 preconfigured Windows security settings, the Security Baseline Preview helps enforce best practices and industry standards
This tailored security baseline can be applied to various server roles, including Domain Controllers, Member Servers, and Workgroup Members

Modern Identity Management and SMB Improvements

Windows Server 2025 also introduces modern, scalable identity management capabilities within Active Directory

These enhancements ensure robust security and streamlined management of user identities across the network. Additionally, Server Message Block (SMB) improvements, including SMB over QUIC, provide better protection against brute force attacks, spoofing, and relay attacks.

Feedback and Future Updates

Microsoft encourages users to provide feedback on this build through the new Feedback Hub app, which is now available for Server Desktop users
This app ensures that your insights and experiences help shape future updates and improvements.
You can join the Windows Server Insider Program here

In conclusion, Windows Server 2025 Insider Preview Build 26311 brings a host of security enhancements and new features designed to provide a secure, efficient, and modern server management experience. Whether you’re an IT professional or a tech enthusiast, this build is worth exploring to stay ahead in the ever-evolving world of server technology.

Here you find what’s New in Microsoft Windows Server 2025 (Preview)

mountainss Cloud and Datacenter Management Blog

Windows Server 2025 watch on demand Windows Server Summit 2024

All the recordings of the Microsoft Windows Server Summit 2024 event sessions are available on YouTube.
You can watch them on demand here

Here are some highlights of the Windows Server Summit 2024 event which I picked out:

Full Stack Native NVMe Support

Container Flexibility

SMB in Windows and Windows Server 2025

The Intel Xeon Processor Designed for AI

You can Upgrade to Windows Server 2025 via Windows Update.

Windows Server 2025 Security.

Delegated Managed Service Account.

Hotpatching for Windows Server 2025

Watch The evolution of Windows Authentication by Ned Pyle

mountainss Cloud and Datacenter Management Blog

Running Nano Server Insider Container on Windows Server 2025 Insider Preview Build 26080

Installing Docker on Windows Server 2025 Insider Preview Build 26080.1

During the Microsoft Windows Server Summit 2024 I got inspired to run a Windows Server 2025 Insider Preview Build and do something with Microsoft WinGet because this is now default installed on the latest Windows Server 2025 Insider Preview Build.

So with the following command, I installed Docker on the Window Server Insider Preview Build version 26080:

Invoke-WebRequest -UseBasicParsing “https://raw.githubusercontent.com/microsoft/Windows-Containers/Main/helpful_tools/Install-DockerCE/install-docker-ce.ps1” -o install-docker-ce.ps1
.\install-docker-ce.ps1

Docker running on Windows Server 2025 Insider Preview Build.

Here I’m pulling NanoServer Insider 26080 image.

With the following command:

docker pull mcr.microsoft.com/windows/nanoserver/insider:10.0.26080.1

the NanoServer Insider container image is in the repository.

So now is Microsoft Windows Package Manager (WinGet) tool handy on this Windows Server Insider Build, because I like to have Microsoft Visual Studio Code Installed to play with Windows Nano Server Insider Container.

First I did a Winget upgrade –all

with Winget search vscode you get the list
To install Visual Studio Code with Winget:
winget install Microsoft.VisualStudioCode

Visual Studio Code is installing.

Visual Studio Code is Installed.

I installed the Docker extension in VSCode.

Microsoft Windows Nano Server Insider Image version 26080 in VSCode.

Running Nano Server Insider Container on Windows Server 2025 Insider Preview Build.

On the Container host is a virtual Nat adapter 172.24.16.1 for
the containers the gateway.

Important:

This is not for production environment but for testing and learning only with new Microsoft technologies.

More information about running Containers on Windows Servers

Become Microsoft Windows Server Insider

mountainss Cloud and Datacenter Management Blog

Updating my MVPLAB with Windows Server 2025 Insider Preview Build 26040

Microsoft Windows Server 2025 Datacenter Insider Preview Build 26040

Microsoft released a new Windows Server Insider preview Build 26040 on January 26th and changed Windows Server vNext name into Microsoft Windows Server 2025!

So time to update my MVPLAB domain stack.local.