Windows Server 2025 New Features

This article describes some of the newest developments in Windows Server 2025, which boasts advanced features that improve security, performance, and flexibility. With faster storage options and the ability to integrate with hybrid cloud environments, managing your infrastructure is now more streamlined. Windows Server 2025 builds on the strong foundation of its predecessor while introducing a range of innovative enhancements to adapt to your needs.

What’s New in Windows Server 2025

The following new features are specific to Windows Server with Desktop Experience only. Having both the physical devices running the operating system and the correct drivers readily available are required.

Accelerated Networking

Accelerated Networking (AccelNet) simplifies the management of single root I/O virtualization (SR-IOV) for virtual machines (VM) hosted on Windows Server 2025 clusters. This feature uses the high-performance SR-IOV data path to reduce latency, jitter, and CPU utilization. AccelNet also includes a management layer that handles prerequisite checking, host configuration, and VM performance settings.

Active Directory Domain Services

The latest enhancements to Active Directory Domain Services (AD DS) and Active Directory Lightweight Domain Services (AD LDS) introduce a range of new functionalities and capabilities aimed at optimizing your domain management experience:

32k Database Page Size Optional Feature

AD uses an Extensible Storage Engine (ESE) database since its introduction in Windows 2000 that uses an 8k database page size. The 8k architectural design decision resulted in limitations throughout AD that are documented in AD Maximum Limits Scalability. An example of this limitation is a single record AD object, which can’t exceed 8k bytes in size. Moving to a 32k database page format offers a huge improvement in areas affected by legacy restrictions, including multi-valued attributes are now able to hold up to ~3,200 values, which is an increase by a factor of 2.6.

New DCs with 32k Page Database

New Domain Controllers (DCs) can be installed with a 32k page database that uses 64-bit Long Value IDs (LIDs) and runs in an “8k page mode” for compatibility with previous versions. An upgraded DC continues to use its current database format and 8k pages. Moving to 32k database pages is done on a forest-wide basis and requires that all DCs in the forest have a 32k page capable database.

AD Schema Updates

Three new Log Database Files (LDF) are introduced that extend the AD schema, sch89.ldf, sch90.ldf, and sch91.ldf. The AD LDS equivalent schema updates are in MS-ADAM-Upgrade3.ldf. For more about previous schema updates, see Windows Server AD schema updates.

AD Object Repair

AD now allows enterprise administrators to repair objects with missing core attributes SamAccountType and ObjectCategory. Enterprise administrators can reset the LastLogonTimeStamp attribute on an object to the current time. These operations are achieved through a new RootDSE modify operation feature on the affected object called fixupObjectState.

Channel Binding Audit Support

Events 3074 and 3075 can now be enabled for Lightweight Directory Access Protocol (LDAP) channel binding. When the channel binding policy is modified to a more secure setting, an administrator can identify devices in the environment that don’t support or fail channel binding.

DC-location Algorithm Improvements

DC discovery algorithm provides new functionality with improvements to mapping of short NetBIOS-style domain names to DNS-style domain names.

Forest and Domain Functional Levels

The new functional level is used for general supportability and is required for the new 32K database page size feature. The new functional level maps to the value of DomainLevel 10 and ForestLevel 10 for unattended installs.

Improved Algorithms for Name/Sid Lookups

Local Security Authority (LSA) Name and Sid lookup forwarding between machine accounts no longer uses the legacy Netlogon secure channel. Kerberos authentication and DC Locator algorithm are used instead.

Improved Security for Confidential Attributes

DCs and AD LDS instances only allow LDAP to add, search, and modify operations involving confidential attributes when the connection is encrypted.

Improved Security for Default Machine Account Passwords

AD now uses randomly generated default computer account passwords. Windows 2025 DCs block setting computer account passwords to the default password of the computer account name.

Kerberos PKINIT Support for Cryptographic Agility

The Kerberos Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) protocol implementation is updated to allow for cryptographic agility by supporting more algorithms and removing hardcoded algorithms.

LAN Manager GPO Setting

The GPO setting Network security: Don’t store LAN Manager hash value on next password change is no longer present nor applicable to new versions of Windows.

LDAP Encryption by Default – Windows Server 2025

All LDAP client communication after a Simple Authentication and Security Layer (SASL) bind utilizes LDAP sealing by default.

LDAP Support for TLS 1.3

LDAP uses the latest SCHANNEL implementation and supports TLS 1.3 for LDAP over TLS connections.

Legacy SAM RPC Password Change Behavior

Secure protocols such as Kerberos are the preferred way to change domain user passwords. The latest SAM RPC password change method SamrUnicodeChangePasswordUser4 using AES is accepted by default.

NUMA Support

AD DS now takes advantage of Non-uniform Memory Access (NUMA) capable hardware by utilizing CPUs in all processor groups.

Performance Counters

Monitoring and troubleshooting the performance of the following counters are now available:

• DC Locator – Client and DC specific counters available.
• LSA Lookups – Name and SID lookups through the LsaLookupNames, LsaLookupSids, and equivalent APIs.
• LDAP Client – Available in Windows Server 2022 and later via KB 5029250 update.

Replication Priority Order – Windows Server 2025

AD now allows administrators to increase the system calculated replication priority with a particular replication partner for a particular naming context.

Windows Server 2025 – Azure Arc

By default, the Azure Arc setup Feature-on-Demand is installed, offering a user-friendly wizard interface and a system tray icon in the taskbar to facilitate the process of adding servers to Azure Arc.

Block Cloning Support

Starting with Windows 11 24H2 and Windows Server 2025, Dev Drive now supports Block cloning.

Windows Server 2025 – Bluetooth

You can now connect mice, keyboards, headsets, audio devices, and more via bluetooth in Windows Server 2025.

Credential Guard

Starting with Windows Server 2025, Credential Guard is now enabled by default on devices that meet the requirements. For more information about Credential Guard, see Configure Credential Guard.

Desktop Shell

When you sign in for the first time, the desktop shell experience conforms to the style and appearance of Windows 11.

Delegated Managed Service Account

This new type of account enables migration from a service account to a delegated Managed Service Account (dMSA). This account type comes with managed and fully randomized keys ensuring minimal application changes while disabling the original service account passwords. To learn more, see Delegated Managed Service Accounts overview.

Dev Drive – Windows Server 2025

Dev Drive is a storage volume that aims to enhance the performance of crucial developer workloads. Dev Drive utilizes ReFS technology and incorporates specific file system optimizations to offer greater control over storage volume settings and security. This includes the ability to designate trust, configure antivirus settings, and exercise administrative control over attached filters. To learn more, see Set up a Dev Drive on Windows 11.

DTrace

Windows Server 2025 comes equipped with dtrace as a native tool. DTrace is a command-line utility that enables users to monitor and troubleshoot their system’s performance in real-time. DTrace allows users to dynamically instrument both the kernel and user-space code without any need to modify the code itself. This versatile tool supports a range of data collection and analysis techniques, such as aggregations, histograms, and tracing of user-level events. To learn more, see DTrace for command line help and DTrace on Windows for other capabilities.

Email & Accounts

You can now add the following accounts in Settings > Accounts > Email & accounts for Windows Server 2025:

• Microsoft Entra ID
• Microsoft account
• Work or school account

It’s important to keep in mind that domain join is still required for most situations.

Feedback Hub in Windows Server 2025

Submitting feedback or reporting problems encountered while using Windows Server 2025 can now be done using the Windows Feedback Hub. You can include screenshots or recordings of the process that caused the issue to help us understand your situation and share suggestions to enhance your Windows experience. To learn more, see Explore the Feedback Hub.

File Compression in Windows Server 2025

Build 26040 has a new compression feature when compressing an item by performing a right-click called Compress to. This feature supports ZIP, 7z, and TAR compression formats with specific compression methods for each.

Hyper-V Manager in Windows Server 2025

When users create a new VM through the Hyper-V Manager, Generation 2 is now set as the default option in the New Virtual Machine Wizard.

Hypervisor-Enforced Paging Translation

Hypervisor-enforced paging translation (HVPT) is a security enhancement to enforce the integrity of linear address translations. HVPT protects critical system data from write-what-where attacks where the attacker writes an arbitrary value to an arbitrary location, often as the result of a buffer overflow. HVPT guards page tables that configure critical system data structures. HVPT includes everything already secured with hypervisor-protected code integrity (HVCI). HVPT is enabled by default where hardware support is available. HVPT isn’t enabled when Windows Server runs as a guest in a VM.

Network ATC

Network ATC streamlines the deployment and management of network configurations for Windows Server 2025 clusters. It utilizes an intent-based approach, where users specify their desired intents, such as management, compute, or storage for a network adapter, and the deployment is automated based on the intended configuration. This approach reduces the time, complexity, and errors associated with host networking deployment, ensures configuration consistency across the cluster, and eliminates configuration drift. To learn more, see Deploy host networking with Network ATC.

NVMe

NVMe is a new standard for fast solid-state drives (SSDs). Experience NVMe optimization in Windows Server 2025 with improved performance, resulting in an increase in IOPS and decrease in CPU utilization.

OpenSSH

In earlier versions of Windows Server, the OpenSSH connectivity tool required a manual install before use. Starting with build 26080, the OpenSSH server-side component is installed by default in Windows Server 2025. The Server Manager UI also includes a one-click option under Remote SSH Access that enables or disables the sshd.exe service. Also, you can add users to the OpenSSH Users group to allow or restrict access to your devices. To learn more, see OpenSSH for Windows overview.

Pinned Apps

Pinning your most used apps is now available through the Start menu and is customizable to suit your needs. As of build 26085, the default pinned apps are currently:

• Azure Arc Setup
• Feedback Hub
• File Explorer
• Microsoft Edge
• Server Manager
• Settings
• Terminal
• Windows PowerShell

Windows Server 2025 – Remote Access

By default, new Routing and Remote Access Services (RRAS) setups don’t accept VPN connections based on PPTP and L2TP protocols. You can still enable these protocols if necessary. SSTP and IKEv2 based VPN connections are still accepted without any change.

Secure Certificate Management

Searching or retrieving certificates on Windows now supports SHA-256 hashes, as described in the functions CertFindCertificateInStore, and CertGetCertificateContextProperty. TLS server authentication is more secure across Windows, and now requires a minimum RSA key length of 2048 bits. For more information, read TLS server authentication: Deprecation of weak RSA certificates.

Security Baseline

By implementing a customized security baseline, you can establish security measures right from the beginning for your device or VM role based on the recommended security posture. This baseline comes equipped with over 350 preconfigured Windows security settings that enable you to apply and enforce specific security settings that align with the best practices recommended by Microsoft and industry standards. To learn more, see OSConfig overview.

Server Message Block – Windows Server 2025

Server Message Block (SMB) is one of the most widely used protocols in networking by providing a reliable way to share files and other resources between devices on your network. Windows Server 2025 brings the following SMB capabilities.

SMB over QUIC Disablement

Administrators can disable SMB over QUIC client through Group Policy and PowerShell. To disable SMB over QUIC using Group Policy, set the Enable SMB over QUIC policy in the paths:

• Computer Configuration\Administrative Templates\Network\Lanman Workstation
• Computer Configuration\Administrative Templates\Network\Lanman Server

SMB Signing and Encryption Auditing

Administrators can enable auditing of the SMB server and client for support of SMB signing and encryption. If a third-party client or server lacks support for SMB encryption or signing, it can be detected. You can configure SMB signing and encryption auditing settings using Group Policy or PowerShell.

SMB Over QUIC Auditing

SMB over QUIC client connection auditing captures events that are written to an event log to include the QUIC transport in the Event Viewer.

Software Defined Networking (SDN)

SDN is an approach to networking that allows network administrators to manage network services through abstraction of lower-level functionality. SDN enables the separation of the network control plane, which is responsible for managing the network, from the data plane, which handles the actual traffic.

Storage Replica Enhanced Log

Enhanced Logs help the Storage Replica log implementation to eliminate the performance costs associated with file system abstractions, leading to improved block replication performance. To learn more, see Storage Replica Enhanced Log.

Windows Server 2025 – Task Manager

Build 26040 now sports the modern Task Manager app with mica material conforming to the style of Windows 11.

Virtualization-based Security (VBS) Enclaves

A VBS enclave is a software-based trusted execution environment (TEE) inside the address space of a host application.

Virtualization-Based Security (VBS) Key Protection

VBS key protection enables Windows developers to secure cryptographic keys using virtualization-based security (VBS).

Wi-Fi

It’s now easier to enable wireless capabilities as the Wireless LAN Service feature is now installed by default.

Windows Containers Portability

Portability is a crucial aspect of container management and has the ability to simplify upgrades by applying enhanced flexibility and compatibility of containers in Windows.

Windows Insider Program

The Windows Insider Program provides early access to the latest Windows OS releases for a community of enthusiasts.

Windows Local Administrator Password Solution (LAPS)

Windows LAPS helps organizations manage local administrator passwords on their domain-joined computers. It automatically generates unique passwords for each computer’s local administrator account, stores them securely in AD, and updates them regularly.

Windows Terminal – Windows Server 2025

The Windows Terminal, a powerful and efficient multishell application for command-line users, is available in this build. Search for “Terminal” in the search bar.

Windows Server 2025 – Winget

Winget is installed by default, which is a command line Windows Package Manager tool that provides comprehensive package manager solutions for installing applications on Windows devices.

Accelerated Networking in Windows Server 2025

Accelerated Networking simplifies the management of single root I/O virtualization (SR-IOV) for virtual machines hosted on Windows Server 2025 clusters. This feature uses the high-performance SR-IOV data path to reduce latency, jitter, and CPU utilization. Accelerated Networking also adds a management layer that handles prerequisite checking, host configuration, and VM performance settings.