What’s New in Windows Server 2019 Insider Preview Builds

The features listed below are available in preview builds of Windows Server 2019 via the Windows Insider Program for Server. To obtain the Insider software downloads, registered Insiders may navigate directly to the Windows Server Insider Preview download page. If you have not yet registered as an Insider, see Getting started with Server.

We also encourage you to visit the Windows Server Insiders space on the Microsoft Tech Communities forum to collaborate, share, and learn from experts.

In place upgrades

In-place upgrade allows an administrator to upgrade an existing installation of Windows Server to a newer version, retaining settings and installed features. The LTSC versions and editions of Windows Server that are supported for in-place upgrade are shown in the following table.

Windows Server 2016 Standard Windows Server 2019 Standard or Datacenter
Windows Server 2016 Datacenter Windows Server 2019 Datacenter
Windows Server 2012 R2 Standard Windows Server 2019 Standard or Datacenter
Windows Server 2012 R2 Datacenter Windows Server 2019 Datacenter

Storage Migration Service

A common issue around Windows Server is a lack of data migration options from older operating systems and storage platforms. Many customers run Windows Server 2012 R2, Windows Server 2008 R2, or even Windows Server 2003 simply because in-place upgrades were impossible and manual data migrations were slow and likely to cause significant service interruption or even loss of access to users and applications.

Windows Server 2019 introduces the Storage Migration Service (SMS), a new role included in Windows Server Standard and Datacenter editions. SMS is a job-based orchestration and proxy that:

  • Allows administrators to inventory existing servers for their data, security, and network settings.
  • Migrates that data, security, and network settings to a new, modern target by using the SMB protocol.
  • Takes over the identity of the old server completely, while decommissioning the original source, in such a way that users and applications are unaffected and unaware that migration has taken place.

SMS provides orchestrated workflow with a Honolulu-based graphical management system, allowing scalable migrations of many servers simultaneously to new targets running on premises or in Azure.

alt text

SMS handles common problems and subtleties of a migration, including in-use files, share settings, security settings, network addresses and names, local security principals, encrypted data, and more. All of this is available from an intuitive graphical interface, which is backed by robust PowerShell automation.

SMS is under active development, and you will see many changes and improvements with each preview. Furthermore, the use of the Honolulu management system enables out-of-band changes through its extension manager system, allowing us to act on your feedback more frequently than the Windows Server preview mechanism allows.

For more information on deploying and using the Storage Migration Service, please visit https://aka.ms/stormigser

Extending your Clusters with Cluster Sets

“Cluster Sets” is the new cloud scale-out technology that increases cluster node count in a single SDDC (Software-Defined Data Center) cloud by orders of magnitude. A Cluster Set is a loosely-coupled grouping of multiple Failover Clusters: compute, storage or hyper-converged. Cluster Sets technology enables virtual machine fluidity across member clusters within a Cluster Set and a unified storage namespace across the "set" in support of virtual machine fluidity. While preserving existing Failover Cluster management experiences on member clusters, a Cluster Set instance additionally offers key use cases around lifecycle management of a Cluster Set at the aggregate.

Windows Defender Advanced Threat Protection

We provide deep platform sensors and response actions, providing visibility to memory and kernel level attacker activities and abilities to take actions on compromised machines in response to incidents such as remote collection of additional forensic data, remediating malicious files, terminating malicious processes etc.

If you’re already using Windows Defender Advanced Threat Protection (ATP), preview these features by simply installing the latest preview build of Windows Server, and onboard it to Windows Defender ATP.

Otherwise, sign up for the Windows Defender ATP trial on Windows Defender Advanced Threat Protection.

Windows Defender ATP Exploit Guard

Windows Defender ATP Exploit Guard is a new set of host-intrusion prevention capabilities. The four components of Windows Defender Exploit Guard are designed to lock down the device against a wide variety of attack vectors and block behaviors commonly used in malware attacks, while enabling enterprises to balance their security risk and productivity requirements.

  • Attack Surface Reduction (ASR): A set of controls that enterprises can enable to prevent malware from getting on the machine by blocking suspicious malicious files (for example, Office files), scripts, lateral movement, ransomware behavior, and email-based threats.

  • Network protection: Protects the endpoint against web-based threats by blocking any outbound process on the device to untrusted hosts/IP addresses through Windows Defender SmartScreen.

  • Controlled folder access: Protects sensitive data from ransomware by blocking untrusted processes from accessing your protected folders.

  • Exploit protection: A set of mitigations for vulnerability exploits (replacing EMET) that can be easily configured to protect your system and applications.

To deploy a default set of Exploit Guard policy on Windows Server, run the following cmdlets:

Set-MpPreference -EnableControlledFolderAccess Enabled

Set-MpPreference -EnableNetworkProtection Enabled

Add-MpPreference -AttackSurfaceReductionRules\_Ids
-AttackSurfaceReductionRules\_Actions Enabled

Add-MpPreference -AttackSurfaceReductionRules\_Ids
-AttackSurfaceReductionRules\_Actions Enabled

Add-MpPreference -AttackSurfaceReductionRules\_Ids
-AttackSurfaceReductionRules\_Actions Enabled

Add-MpPreference -AttackSurfaceReductionRules\_Ids
-AttackSurfaceReductionRules\_Actions Enabled

Add-MpPreference -AttackSurfaceReductionRules\_Ids
-AttackSurfaceReductionRules\_Actions Enabled

Add-MpPreference -AttackSurfaceReductionRules\_Ids
-AttackSurfaceReductionRules\_Actions Enabled

Add-MpPreference -AttackSurfaceReductionRules\_Ids
-AttackSurfaceReductionRules\_Actions Enabled

Add-MpPreference -AttackSurfaceReductionRules\_Ids
-AttackSurfaceReductionRules\_Actions Disabled

Add-MpPreference -AttackSurfaceReductionRules\_Ids
-AttackSurfaceReductionRules\_Actions Enabled

$url = 'https://demo.wd.microsoft.com/Content/ProcessMitigation.xml'

Invoke-WebRequest $url -OutFile ProcessMitigation.xml

Write-Host "Enabling Exploit Protection"

Set-ProcessMitigation -PolicyFilePath ProcessMitigation.xml

Windows Defender Application Control

Windows Defender Application Control—also known as Code Integrity (CI) policy—was released in Windows Server 2016. Customer feedback has suggested that it is a great concept, but hard to deploy. To address this, we are building default CI policies, which will allow all Windows in-box files and Microsoft applications, such as SQL Server, and block known executables that can bypass CI.

The package contains an audit version and an enforced version. If the server doesn’t require additional drivers/applications, you can deploy the enforced version. Otherwise, you can use the audit policy, check uncovered executables, and then merge them into the default CI policy.

To deploy the default code integrity policy, run the following commands:

Copy-Item C:\\CI\\ServerDefault-EnforcedCI.bin

Reboot the server to allow code integrity service to load the policy.

Failover Cluster removing use of NTLM authentication

Windows Server Failover Clusters no longer use NTLM authentication by exclusively using Kerberos and certificate based authentication. There are no changes required by the user, or deployment tools, to take advantage of this security enhancement. It also allows failover clusters to be deployed in environments where NTLM has been disabled.

Shielded virtual machines – Offline mode, VMConnect and Linux support

You can now run shielded virtual machines on machines with intermittent connectivity to the Host Guardian Service by leveraging the new fallback HGS and offline mode features. Fallback HGS allows you to configure a second set of URLs for Hyper-V to try if it can't reach your primary HGS server. To see how this can be used in a branch-office scenario, see Improved branch office support for shielded VMs in Windows Server, version 1709 on our blog. Offline mode allows you to continue to start up your shielded VMs, even if HGS can't be reached, as long as the VM has started successfully once, and the host's security configuration has not changed. (To enable offline mode, run the following command on the Host Guardian Service: Set-HgsKeyProtectionConfiguration –AllowKeyMaterialCaching.)

We've also made it easier to troubleshoot your shielded virtual machines by enabling support for VMConnect Enhanced Session Mode and PowerShell Direct. These tools are particularly useful if you've lost network connectivity to your VM and need to update its configuration to restore access. These features do not need to be configured, and they will automatically become available when a shielded VM is placed on a Hyper-V host running build 17040 or later.

For customers who run mixed-OS environments, we now support running Ubuntu, Red Hat Enterprise Linux, and SUSE Linux Enterprise Server inside shielded virtual machines. Try it out—Create a Linux shielded VM template disk—and send us your feedback in the Feedback Hub.

Encrypted Network in SDN

Network traffic going out from a VM host can be snooped on and/or manipulated by anyone with access to the physical fabric. While shielded VMs protect VM data from theft and manipulation, similar protection is required for network traffic to and from a VM. While the tenant can setup protection such as IPSEC, this is difficult due to configuration complexity and heterogeneous environments.

Encrypted Networks is a feature which provides simple to configure DTLS-based encryption using the Network Controller to manage the end-to-end encryption and protect data as it travels through the wires and network devices between the hosts It is configured by the Administrator on a per-subnet basis.  This enables the VM to VM traffic within the VM subnet to be automatically encrypted as it leaves the host and prevents snooping and manipulation of traffic on the wire. This is done without requiring any configuration changes in the VMs themselves. Try it out—Configure Encryption for a Virtual Subnet—and send us your feedback in the Feedback Hub.

If you are using Storage Spaces Direct, take a look at another area to explore for this release: performance history for Storage Spaces Direct.

Software Defined Datacenter

If you are using Storage Spaces Direct, take a look at performance history for Storage Spaces Direct.

Performance history for Storage Spaces Direct

Administrators of Storage Spaces Direct can now get easy access to historical performance and capacity data from their cluster. Did CPU usage spike last night? When did this drive become slow? Which virtual machine used the most memory last month? Is network activity trending up or down? The cluster is pushing 1,000,000 IOPS – is that my new record? Previously, you'd need external tooling to answer these questions. No more!

Beginning in build 17090, beautiful new charts in Project Honolulu (and new PowerShell cmdlets, for those so inclined) empower you to answer these questions. There's nothing to install, configure, or start—it's built-in and always-on. Learn more at https://aka.ms/clusterperformancehistory.

alt text