Starting in mid-April 2026, Microsoft allows you to upgrade Windows Server 2019 and Windows Server 2022 directly to Windows Server 2025 through Windows Update — no installation media (ISO file or DVD) required. The process is called an in-place upgrade, meaning your installed applications, settings, and server roles remain unchanged while only the operating system version changes. This article covers the prerequisites, the exact registry change you need to make, the step-by-step procedure for both the graphical desktop and the text-only Server Core installation, and the important cases where you must not use this method.

Source

Windows Server vNext Insider Preview build 29531 introduces ReFS boot, allowing you to install and start Windows Server from a Resilient File System (ReFS)-formatted boot volume for the first time. This feature brings integrity-level metadata checksums, online corruption repair, block cloning, and 35-petabyte volume scalability to the OS boot partition — capabilities that NTFS cannot match. ReFS boot requires UEFI firmware and a minimum of 2 GB for the WinRE partition. Learn how to enable Windows ReFS boot during Windows Server installation.

Source

Microsoft released version 2602 of the Security Baseline for Windows Server 2025, approximately eight months after the previous version 2506. The update adds 10 new Group Policy settings and removes one, focusing on NTLM auditing, printer security, and authentication hardening. Most of the new policies were already included in the Windows 11 Security Baselines since 2022 and are now being backported to the server edition. The baseline is available as part of the Microsoft Security Compliance Toolkit 1.0.

Source

DNS over HTTPS (DoH) is a protocol that encrypts Domain Name System (DNS) queries and transmits them over HTTPS. This security enhancement prevents eavesdropping and manipulation of DNS traffic, addressing fundamental vulnerabilities in traditional DNS infrastructure that operates in plaintext. The DoH architecture consists of two components: the client, which initiates encrypted DNS queries, and the resolver (or server), which processes them. Windows has supported DoH on the client side since Windows 11. While Windows 10 includes the underlying client support in later builds (Insider Preview 19628 and later), it does not expose this functionality in the Settings app and requires manual Registry configuration, making it effectively unsupported for most users.

Source

Microsoft announced a comprehensive roadmap to phase out the legacy NTLM (New Technology LAN Manager) authentication protocol in favor of more secure Kerberos-based alternatives. The company plans to disable NTLM by default in the next major Windows Server release and associated Windows client versions, marking a significant step toward enhancing Windows security after more than three decades of NTLM usage.

Source