Windows Server

Windows Server

Windows Server 2019 Essentials update


For more than a decade the Windows Server team has been releasing Windows Server editions tailored to meet the needs of small business environments. Windows Server 2016 Essentials is the current in-market edition of Windows Server made for small business and is available for companies with up to 25 users.

As we started working on next version, Windows Server 2019, we looked closely on the impact of recent technology trends on small business customers. We observed that cloud computing, in addition to affecting how large enterprises think about their datacenters, is also impacting how small companies are planning their IT services. For example, we have Microsoft 365 Business that is easier to acquire, integrate with other cloud services, and is particularly effective in environments that do not have full-time IT staff. Especially, capabilities that small businesses need, like file sharing and collaboration are best achieved with a cloud service like Microsoft 365.

Furthermore, we recently collaborated with the MVP community and other influencers to listen and get a deeper understanding of the transition that our small business customers are going through. While our small business customers are embracing cloud services where they can, on-premises servers are still valuable and desired in the short term for reasons such as price and ability to run traditional applications that may not yet have corresponding cloud-based functionality.

All of this led to our decision to offer yet another version of on-premises server for small businesses – Windows Server 2019 Essentials. This edition will be released along with the other editions of Windows Server 2019 later this year. There is a strong possibility that this could be the last edition of Windows Server Essentials.

Windows Server 2019 Essentials will have the same characteristics as the 2016 version that small business look for:

  • Single license that includes Client Access Licenses (CAL) for up to 25 users/50 devices
  • Lower price point
  • Ability to run traditional applications and other features, such as file and print sharing

What’s in Windows Server 2019 Essentials

Windows Server 2019 Essentials has the same licensing and technical characteristics as its predecessor, Windows Server 2016 Essentials. If configured as a Domain Controller, Windows Server 2019 Essentials must be the only Domain Controller, must run all Flexible Single Master Operations (FSMO) roles, and cannot have two-way trusts with other Active Directory domains.

Windows Server 2019 Essentials includes the new hardware support and features and improvements like Windows Server 2019 Standard, including Storage Migration Services, System Insights, and many more.

Windows Server 2019 Essentials will not include the Essentials Experience role. The Essentials Experience primarily simplified file sharing and device management. For a better management experience, we now have Windows Admin Center.

Looking ahead

First and foremost, customers currently using Windows Server 2016 Essentials will be supported according to Long Term Servicing Channel (LTSC) servicing timeline.

For companies with more than 25 users/50 devices, or companies that have potentially grown beyond 25 users, Windows Server 2019 Standard – and potentially the Datacenter edition – can provide more flexible deployment options.

Finally, we highly recommend our small customers to consider Microsoft 365 as an option for their file sharing and collaboration needs. Microsoft 365 provides a complete, intelligent solution, including Office 365, Windows 10, and Enterprise Mobility + Security. Microsoft 365 Business includes a richer feature set including Office, e-mail and calendaring, file storage in the cloud, data protection, and so much more, allowing our small customers to evolve their business and achieve new levels of productivity

We will continue to listen to our customers and provide solutions that meet their small business needs.

read more
Windows Server

Everything you need to know about Windows Server 2019 – Part 3

no thumb

In the preceding blogs, you were given a video-tour of some of the high-level advancements made in Windows Server 2019 that touched on areas such as the improvements made around hyper-converged infrastructure (HCI), hybrid capabilities such as Azure File Sync and Azure Site Recovery, our new administrative experience with the Windows Admin Center (WAC), and an array of pretty mind-blowing storage enhancements. In this article, we’ll describe some of the principles that help guide our thinking when designing security solutions and delve into a few of the innovations and enhancements we made to security in this latest Windows Server release.

How we think about security

Security has long been a top priority in Windows Server and that continues with Windows Server 2019. Over the years, we’ve not only invested a huge amount in developing mitigation for well-known attack vectors of the day, but also in trying to better understand how the attacks evolve over time and anything they might share in common.

The table below highlights some of the more notable takeaways from our ongoing work and research.

1.The network is no longer the security perimeter (it hasn’t been for some time)Identity is the (new) security perimeter
2.Entry—we can’t stop this from happeningPeople will be fooled, bribed, blackmailed, etc.
3.Eliminating human error isn’t possiblePhishing works and will continue to do so
4.Insider-attacks are a big problemAnomalous activity monitoring helps in detection; limit access through identity management and isolation
5.Compliance is very importantBut compliance and security are not the same thing:
compliant != secure
6.Prevention methods aren’t always technical or architecturalMany will be operational and that will impose some level of additional operational friction—security has a price $$$


At a high-level then, our efforts boil down to 4 core, and mostly self-explanatory guiding principles (on the left) across 3 technology dimensions (on the right).  It’s worth calling out that one of those technology dimensions, managing privileged identities, has never been more important than it is today given that identity and strong authentication is steadily replacing the network as the security perimeter.

These guiding principles and areas of focus help us ensure that we not only provide reactive mitigation to what are sadly becoming commonplace threats, but that we also build in proactive measures that prevent attacks from ever starting in the first place. Stated succinctly, security isn’t a bolt-on, it’s an architectural principle and one that both Windows 10 and Windows Server 2019 are walking (well, running if you’ll excuse the pun) incarnations of. That’s enough of our mental model, let’s get on with discussing some of the new capabilities in Windows Server 2019.

The privileged identity management capabilities provided by Windows Server 2016, such as Just Enough Administration (JEA) and Credential Guard carry forward into Windows Server 2019. For the purposes of this blog then, we’ll focus on a few of the other technologies that embrace the latter two dimensions: securing the OS and providing secure fabric virtualization and virtualization-based security (VBS).

Secure the OS

Technologies for mitigating code execution attacks

This example takes us well-down into the weeds of just two of the ways that the OS protects itself by ensuring that only legitimate, whitelisted code can run and that, when it does, it runs in the manner it was intended to.

With Windows Defender Application Control (WDAC), administrators can create policies that block anything from running unless it’s included in the whitelisted policy. Because the WDAC policy is enforced by the hypervisor, its control extends even to kernel mode components like drivers.

Note that we mentioned that the policy is enforced by the hypervisor, not Hyper-V. It’s pretty easy to conflate hypervisor and Hyper-V as one and the same thing—they’re actually not the same thing. At its core, a hypervisor controls the hardware’s native virtualization capabilities and Windows uses it in two distinct ways:

  1. Hyper-V uses the Windows hypervisor to allow you to create and run virtual machines attached to virtual networks, etc.
  2. Windows itself (without Hyper-V) leverages the hypervisor’s control over the virtualization hardware extensions to isolate various OS components from one another for the purposes of OS integrity and confidentiality.

With WDAC in Windows Server 2019, you can now “stack” multiple policies on top of one another to create a whitelist that is the aggregate of all stacked policies. It’s even possible to create a policy that allows the WDAC policy to be changed without requiring a reboot!

Control Flow Guard (CFG) provides built-in platform security designed to combat intentional memory corruption vulnerabilities by placing restrictions on where an application can execute code from thereby making it much harder for malicious software to execute arbitrary code through vulnerabilities such as buffer overflows. With Windows Server 2019, we’ve added support for kernel-mode CFG, too.

Secure fabric virtualization and virtualization-based security (VBS)

Support for shielding Linux VMs

With Windows Server 2019, you’re now able to protect your Linux workloads by running them inside shielded VMs. By leveraging the same protections as Windows VMs including Secure Boot, template disk signing, a secure provisioning process, and TPM-sealed disk encryption keys, you’re able to protect data in your Linux VMs at rest and in flight when migrating the VM between two Hyper-V hosts. Under the hood, we’re leveraging the native dm-crypt disk encryption technology to enable the VM to encrypt itself and ensure the VM owner is the only entity with access to the disk encryption passphrases. Learn how to get started with Linux shielded VMs and check out the open source tools that power them.

Simplified host attestation model

In Windows Server 2019, we are introducing a new attestation mode based on asymmetric key pairs called Host Key attestation. This mode is designed to greatly simplify setup in environments where TPM attestation is not possible. It offers similar assurances to the existing Active Directory attestation mode, in that possession of the key is enough to be able to run shielded VMs, but does not require an Active Directory trust to be established (the hosts don’t even need to be domain joined). A TPM is not required on the Hyper-V host, which also means that HGS will not validate the hardware or software configuration on the host as it does with TPM mode. Check out how to deploy the Host Guardian Service and configure it and Hyper-V hosts for Host Key attestation.

What next?

There’s a huge array of new capabilities in Windows Server 2019 so it’s well worthwhile getting yourself ahead of the learning curve by downloading the Windows Server 2019 preview release and giving these new capabilities a test drive yourself. You can also join the conversation going on in the Windows Server Tech Community space.

read more
Windows Server

Everything you need to know about Windows Server 2019 – Part 2

no thumb

Hybrid is the destination, not the journey. Millions of our customers rely on their Windows Server investments to run their business and the public cloud doesn’t extinguish this, it enhances it. Azure provides vast storage, disaster protection, security, and infrastructure management options for business leaders and IT managers to integrate with their traditional on-premises datacenters and modern edge devices.

As you saw with our first post of this series, Windows Server 2019 is available as a preview in the Windows Insidersprogram. Along with the new Windows Admin Center, it is our first server operating system to fully embrace this hybrid datacenter and cloud goal. We do this through a combination of new in-box features, nimble add-on components, and Azure services designed to leverage all the best advantages of edge computing with Azure capacity.

Some of our hybrid investments for Windows Server 2019 include:

  • The Windows Admin Center combined with hybrid Azure extensions
  • Storage Migration Service
  • Azure File Sync
  • Storage Replica

Attendees of the Microsoft Ignite 2018 conference are likely to see a few more surprises too! Let’s dig into these new features.

The Windows Admin Center combined with Azure services

Windows Admin Center empowers you to leverage Azure services from your on-premises environment:

  • Discover, deploy, and utilize Azure services without leaving a central user interface. Windows Admin Center streamlines setup and automatically provisions required Azure resources, installs necessary agents, and initializes the service behind-the-scenes.
  • Windows Admin Center currently has built-in integration support for the following services, with plans to integrate with more services in the future:

Azure Site Recovery: Protect business-critical workloads running on Hyper-V Virtual Machines from disaster.

Azure Backup (coming soon): Protect your servers from accidental-deletion of data, corruptions and even ransomware-attacks.

Azure Update Management: Manage operating system updates across all the servers in your environment.

Azure AD authentication: Bolsters the security of your Windows Admin Center gateway with the power of Azure Active Directory. This lights-up features like conditional access policies and multi-factor authentication to Windows Admin Center.

Manage Windows Server IaaS VMs using Windows Admin Center: Granular troubleshooting or configuration.

You can use these features today by downloading Windows Admin Center. Installation takes under 5 minutes, and there is no agent installation required on servers or clusters you wish to manage.

Storage Migration Service

The new Storage Migration Service, included in Windows Server 2019, migrates servers and their data without reconfiguring applications or users. It’s fast, consistent, and scalable while taking care of the enormous complexity and subtle environmental problems inherent to server migrations. It also provides an intuitive graphical workflow using – you guessed it – Windows Admin Center.

The Storage Migration Service goal is to help you retire Windows Server 2003, Windows Server 2008, and Windows Server 2012 and move onto modern platforms that offers new hybrid service options like Windows Server 2016 and Windows Server 2019. It operates in three distinct phases: inventory your old servers, transfer their data to modern targets, then take over the old server’s identity and networking so that users and applications cannot tell the migration even happened.

Azure File Sync

The new Azure File Sync service is generally available for deployment on Windows Server 2019 (as well as Windows Server 2016 and even Windows Server 2012 R2), and centralizes your organization’s file shares in Azure Files, while keeping the flexibility, performance, and compatibility of an on-premises file server.

Azure File Sync transforms your on-premises Windows File Server into a hot cache so that the files your organization is accessing are local while providing near virtually bottomless storage as cold data is automatically tiered up to Azure. You can use any protocol that’s available on Windows Server to access your data locally, including SMB, NFS, and FTPS. You can have as many caches as you need across the world.

Storage Replica

The Storage Replica disaster protection service was first added in Windows Server 2016, and Windows Server 2019 now adds additional capabilities for hybrid scenarios. It includes a limited version for Standard edition Windows Server, allowing small and medium businesses to protect themselves with an Azure IaaS VM as their second site when they don’t have multiple locations. We also added test failover and Windows Admin Center support and are working on a surprise for Storage Replica hybrid usage we’ll unveil at Microsoft Ignite!

The wrap-up

Hybrid is the destination, not the journey. Azure and Windows Server combine to offer incredible value and capabilities to any-sized business and offer the on-ramp to the next generation of compute, storage, networking, and security.

Get ahead of the learning curve now by downloading Windows Server 2019 previewWindows Admin Center, and Azure File Sync today, then join the conversation on the Windows Server Tech Community space.

read more
Windows Server

Everything you need to know about Windows Server 2019 – Part 1

no thumb

This blog post was authored by Vinicius Apolinario, Senior Product Marketing Manager, Windows Server.

You should know by now that Windows Server 2019 is available as a preview in the Windows Insiders program. In the last few months, the Windows Server team has been working tirelessly on some amazing new features. We wanted to share the goodness that you can expect in the product through a series of blog posts. This is the first in the series that will be followed by deep-dive blog posts by the engineering experts.

Windows Server 2019 has four main areas of investments and below is glimpse of each area.

  1. Hybrid: Windows Server 2019 and Windows Admin Center will make it easier for our customers to connect existing on-premises environments to Azure. With Windows Admin Center it also easier for customers on Windows Server 2019 to use Azure services such as Azure Backup, Azure Site Recovery, and more services will be added over time.
  2. Security: Security continues to be a top priority for our customers and we are committed to helping our customers elevate their security posture. Windows Server 2016 started on this journey and Windows Server 2019 builds on that strong foundation, along with some shared security features with Windows 10, such as Defender ATP for server and Defender Exploit Guard.
  3. Application Platform: Containers are becoming popular as developers and operations teams realize the benefits of running in this new model. In addition to the work we did in Windows Server 2016, we have been busy with the Semi-Annual Channel releases and all that work culminates in Windows Server 2019. Examples of these include Linux containers on Windows, the work on the Windows Subsystem for Linux (WSL), and the smaller container images.
  4. Hyper-converged Infrastructure (HCI): If you are thinking about evolving your physical or host server infrastructure, you should consider HCI. This new deployment model allows you to consolidate compute, storage, and networking into the same nodes allowing you to reduce the infrastructure cost while still getting better performance, scalability, and reliability.

To get you excited, we are kicking off the Windows Server 2019 blog series with Jeff Woolsey showing a brief overview on some cool new features that you should try today! To hear more, check out the deep dive on Windows Server 2019 updates.

read more
Azure App ServiceWindows Server

Microsoft is upgrading the host OS of Azure App Service and Azure Functions to Windows Server 2016

Azure Functions to Windows Server 2016

Microsoft is planning to upgrade App Service and Functions infrastructure to Windows Server 2016. This updates paves the way to allow the HTTP/2 protocol for App Service and Functions. For HTTP/2 support they will send communications when it will be available worldwide. The update will began on Monday, December 4, 2017, and continue through January 2018.

What does it mean for the Azure Administrators and End Users?

Most updates can be performed without affecting your services running on the platform’s infrastructure. However it will automatically restart your App Services. This may happen multiple times during the OS patching. Microsoft monitoring team will be monitoring the health of the platform during the rollout.

Recommended Actions

Test your app in your local environment if you have Windows Server 2016

Alternately you can install IIS in Windows 10 and test your App in Windows 10 environment because Windows 10 shares many components with Windows Server 2016.

read more