Windows Server 2022 Expert

Key Features

Secured-Core Server

Hardware-rooted security combining firmware protection, VBS, HVCI, and TPM attestation. Requires certified OEM hardware with TPM 2.0, UEFI Secure Boot, and DRTM (Intel TXT or AMD SKINIT).

# Verify VBS and Secured-core components
Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard |
    Select-Object VirtualizationBasedSecurityStatus, SecurityServicesRunning,
                  SecurityServicesConfigured, CodeIntegrityPolicyEnforcementStatus
# VBS Status: 0=Off, 1=Configured, 2=Running
# SecurityServicesRunning: 1=Credential Guard, 2=HVCI, 4=System Guard Secure Launch

# Check Secure Boot and TPM
Confirm-SecureBootUEFI
Get-Tpm | Select-Object TpmPresent, TpmReady, TpmEnabled
Get-CimInstance -Namespace root\cimv2\Security\MicrosoftTpm -ClassName Win32_Tpm |
    Select-Object SpecVersion

# Enable VBS and HVCI
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard' `
    -Name 'EnableVirtualizationBasedSecurity' -Value 1 -Type DWord
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity' `
    -Name 'Enabled' -Value 1 -Type DWord

HVCI may block legitimate unsigned drivers (common with older hardware). Test in audit mode first. VBS adds ~5% overhead for workloads with frequent kernel transitions.

TLS 1.3 Enabled by Default

First Windows Server with TLS 1.3 enabled and TLS 1.0/1.1 disabled by default. Major breaking change for legacy clients.

# Check TLS protocol states
$protocols = @('TLS 1.0', 'TLS 1.1', 'TLS 1.2', 'TLS 1.3')
foreach ($proto in $protocols) {
    $key = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$proto\Server"
    $enabled = if (Test-Path $key) { (Get-ItemProperty $key -ErrorAction SilentlyContinue).Enabled } else { 'Default' }
    Write-Host "$proto : $enabled"
}

# Re-enable TLS 1.0 for legacy compatibility (NOT recommended)
$path = 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server'
New-Item -Path $path -Force | Out-Null
Set-ItemProperty -Path $path -Name 'Enabled' -Value 1 -Type DWord
Set-ItemProperty -Path $path -Name 'DisabledByDefault' -Value 0 -Type DWord

TLS 1.3 cipher suites are fixed by spec (AES_256_GCM_SHA384, AES_128_GCM_SHA256). Legacy clients (Java <8u261, old SSMS) may fail LDAPS or SQL connections.

SMB Improvements

Compression: LZ4 (default, fastest), ZSTD (better ratio), PATTERN_V1 (sparse files). Detects already-compressed data and skips compression.

Set-SmbServerConfiguration -EnableSmbCompression $true -Confirm:$false
Set-SmbClientConfiguration -EnableSmbCompression $true -Confirm:$false

AES-256 encryption:

Set-SmbServerConfiguration -EncryptionCiphers 'AES_256_GCM,AES_128_GCM' -Confirm:$false
Set-SmbShare -Name 'SecureShare' -EncryptData $true

SMB signing required by default -- prevents relay attacks but adds slight CPU overhead.

SMB over QUIC (Azure Edition only in 2022): Tunnels SMB over UDP/443 with TLS 1.3. Eliminates need for VPN for remote file access. Requires PKI certificate on server.

# Azure Edition only:
New-SmbServerCertificateMapping -Name 'QuicCert' -Thumbprint '<cert-thumbprint>' `
    -StoreName 'My' -Subject 'fileserver.contoso.com'

Hotpatch (Azure Edition Only)

Security updates applied to running processes without reboot. Quarterly baseline (reboot) + monthly hotpatch (no reboot). Available only on Azure Edition VMs running on Azure or Azure Stack HCI.

# Check Arc agent status (required for Hotpatch)
& 'C:\Program Files\AzureConnectedMachineAgent\azcmagent.exe' show

# Check hotpatch history
Get-HotFix | Where-Object { $_.Description -eq 'Hotfix' } |
    Sort-Object InstalledOn -Descending | Select-Object -First 10

Nested Virtualization on AMD

First Windows Server to support nested Hyper-V on AMD processors (EPYC Naples/Rome/Milan+, Ryzen Pro).

Set-VMProcessor -VMName 'NestedVM' -ExposeVirtualizationExtensions $true
Set-VMNetworkAdapter -VMName 'NestedVM' -MacAddressSpoofing On

Live migration between Intel and AMD hosts with nested virt is not supported.

Container Improvements

HostProcess containers: Run directly on host network namespace, access host storage. For Kubernetes DaemonSet-style tasks.

gMSA without domain join: Container host does not need to be domain-joined.

Smaller base images: servercore:ltsc2022 ~2.3GB, nanoserver:ltsc2022 ~98MB.

Storage Bus Cache for Standalone Servers

NVMe/SSD as cache tier for HDD on non-clustered servers (previously S2D-only).

Enable-StorageBusCache
Get-StorageBusCache
Get-StorageBusCacheStore   # View cache bindings

DNS over HTTPS (DoH)

Client-side DoH for encrypted DNS queries. The DNS Server role does NOT support DoH forwarding in 2022 (added in 2025).

Add-DnsClientDohServerAddress -ServerAddress '1.1.1.1' `
    -DohTemplate 'https://cloudflare-dns.com/dns-query' `
    -AllowFallbackToUdp $true -AutoUpgrade $true

Version Boundaries

• This agent covers Windows Server 2022 (build 20348)
• SMB over QUIC and Hotpatch are Azure Edition only (expanded to all editions in 2025)
• First version with Secured-core certification
• First version with TLS 1.3 and disabled TLS 1.0/1.1
• First AMD nested virtualization support
• No DTrace (added in 2025)
• No dMSA (added in 2025)
• No GPU Partitioning (added in 2025)
• No native NVMe I/O stack (added in 2025)
• Docker is the primary container runtime (containerd default in 2025)

Common Pitfalls

1. TLS 1.0/1.1 disabled breaking legacy clients -- Audit before upgrading. Java <8u261, old LDAP clients, and some backup agents fail.
2. Assuming SMB/QUIC is available on Standard/Datacenter -- It is Azure Edition exclusive in 2022.
3. Hotpatch not covering all CVEs -- Only a subset of security updates; quarterly baselines still require reboots.
4. HVCI blocking unsigned drivers -- Test with DG Readiness tool before enforcement.
5. SMB compression increasing CPU -- Monitor CPU before enabling globally on busy file servers.
6. AES-256 requiring both endpoints on 2022/Win11 -- Older clients fall back to AES-128.
7. Storage Bus Cache requires SSD+HDD in same server -- NVMe recommended for cache tier.
8. Azure Edition cannot run on-premises -- Virtual-only on Azure or Azure Stack HCI.

Migration from Windows Server 2019

1. Audit TLS dependencies -- The TLS 1.0/1.1 default change is the highest-impact breaking change
2. Test SMB signing impact -- Required by default; measure throughput on high-volume SMB workloads
3. Evaluate Secured-core -- If hardware supports TPM 2.0 + DRTM, enable VBS and HVCI
4. Plan container image updates -- Pull ltsc2022 base images; ltsc2019 images work under Hyper-V isolation
5. Consider Azure Edition -- For Hotpatch and SMB over QUIC (if running in Azure)
6. Deploy Azure Arc -- Recommended management layer for hybrid environments

Reference Files

Load these for deep knowledge:

• ../references/architecture.md -- Storage engine, boot process, registry, networking
• ../references/diagnostics.md -- Event logs, performance counters, BSOD analysis
• ../references/best-practices.md -- Hardening, patching, backup, Group Policy
• ../references/editions.md -- Edition features, licensing, upgrade paths