Windows Server 2025: Security, Hotpatching & VBS

The security of Windows Server 2025 builds on Windows Server 2022, which focused on Zero Trust, advanced compliance, and strong hybrid cloud integration. Based on this foundation, several new features have been added to further enhance security. This article outlines the improvements implemented in Windows Server 2025 and what you can do to optimize them even further.

Security Improvements

Zero Trust and Identity Security

Windows Server 2025 integrates the Zero Trust model, enforcing strict access control combined with Multi-Factor Authentication (MFA). This is implemented by connecting Windows Server 2025 to Microsoft Entra ID. In addition, Conditional Access Policies grant access to the corporate network based on specific conditions. On compatible systems, Credential Guard is enabled by default. This protects against NTLM hashes, Kerberos tickets, and other credentials through virtualization.

Virtualization-Based Security (VBS) & Secured-core

With Virtualization-Based Security (VBS), sensitive workloads are isolated, reducing administrator dependency. Cryptographic keys are protected with VBS Key Protection, which isolates them and leverages hardware-based security. Secured-core servers, equipped with Hypervisor-protected Code Integrity (HVCI), block malicious drivers at the hardware level and make security events accessible through Defender for Cloud.

Hotpatching and Resilience

Through Hotpatching with Azure Arc, monthly security updates can be installed without requiring a reboot. Only the baseline needs to be restarted once per quarter. In addition, Microsoft has announced Quick Machine Recovery (QMR) as part of the Windows Resiliency Initiative, allowing devices to be restored when critical failures prevent them from booting. However, this feature is not yet generally available.

Network and Communication Security

Authentication and transport security have been strengthened with LDAP over TLS 1.3 and advanced Kerberos algorithms. Windows Server supports DoH on the client side; the DNS Server role does not provide native DoH/DoT.

Endpoint Protection

Microsoft Defender for Servers/Endpoint is a security platform that helps organizations prevent, detect, investigate, and respond to threats. You can also purchase Microsoft Defender for Servers (via Defender for Cloud) as a separate paid Azure service for Windows Server workloads. This cloud-native application protection platform (CNAPP) secures DevOps pipelines and provides protection for virtual machines and workloads.

Active Directory

Active Directory (AD) remains an essential component for managing user accounts and computers in a Windows network. AD is the central solution for managing users, devices, and access rights within your environment. Through domain controllers, authorized users and systems gain secure and controlled access to network resources.

Security Baselines and Configuration Management

With OSConfig, Microsoft provides a solution for managing security settings at scale. OSConfig ensures consistent configurations and automatically restores them in case of deviations. It also supports scenario-based security baselines such as CIS and DISA STIG guidelines. More than 300 predefined settings are included, allowing organizations to implement and maintain a strong security posture.

Network & Kerberos Defaults in 2025

Windows Server 2025 strengthens SMB signing and introduces NTLM blocking; Kerberos phases out outdated algorithms.

What can you do yourself?

To further strengthen the security of Windows Server 2025, you can take the following measures:

Enable Credential Guard and Virtualization-Based Security
Protect sensitive credentials through virtualization. VBS creates a secure, isolated environment for security functions.

Manage updates with Hotpatching via Azure Arc
Install updates without restarting the server, applicable to both hybrid and on-premises servers.

Implement Defender for Servers
Provides threat detection, vulnerability scanning, and security recommendations for your servers.

Disable legacy protocols
Outdated protocols often contain known vulnerabilities. Using modern alternatives prevents eavesdropping, man-in-the-middle attacks, and spoofing.

Enable secured AD settings, including machine account password rotation
Enhances overall AD security by regularly rotating machine account passwords.

FAQ

Is Defender for Cloud included with Windows Server 2025?
No. Defender for Cloud/Servers is a separate Azure service/license.

Does hotpatching never require reboots?
Monthly hotpatches do not; the quarterly baseline does.

Does Windows Server support DoH?
Yes, the DNS client does; the DNS Server role does not.

Is LDAP/TLS 1.3 available?
Yes, it is supported (via updates/newer builds).

How many baseline settings does OSConfig provide?
More than 300.