Security The new security capabilities in Windows Server 2022 combine other security capabilities in Windows Server across multiple areas to provide defense-in-depth protection against advanced threats. Advanced multi-layer security in Windows Server 2022 provides the comprehensive protection that servers need today. Secured-core server Certified Secured-core server hardware from an OEM partner provides additional security protections that are useful against sophisticated attacks. This can provide increased assurance when handling mission critical data in some of the most data sensitive industries. A Secured-core server uses hardware firmware and driver capabilities to enable advanced Windows Server security features. Many of these features are available in Windows Secured-core PCs and are now also available with Secured-core server hardware and Windows Server 2022. Hardware root-of-trust Trusted Platform Module 2.0 (TPM 2.0) secure crypto-processor chips provide a secure hardware-based store for sensitive cryptographic keys and data including systems integrity measurements. TPM 2.0 can verify that the server has been started with legitimate code and can be trusted by subsequent code execution. This is known as a hardware root-of-trust and is used by features such as BitLocker drive encryption. Firmware protection Firmware executes with high privileges and is often invisible to traditional anti-virus solutions which has lead to a rise in the number of firmware-based attacks. Secured-core server processors support measurement and verification of boot processes with Dynamic Root of Trust for Measurement (DRTM) technology and isolation of driver access to memory with Direct Memory Access (DMA) protection. Virtualization-based security (VBS) Secured-core servers support virtualization-based security (VBS) and hypervisor-based code integrity (HVCI). VBS uses hardware virtualization features to create and isolate a secure region of memory from the normal operating system protecting against an entire class of vulnerabilities used in cryptocurrency mining attacks. VBS also allows for the use of Credential Guard where user credentials and secrets are stored in a virtual container that the operating system cannot access directly. HVCI uses VBS to significantly strengthen code integrity policy enforcement including kernel mode integrity which checks all kernel mode drivers and binaries in a virtualized environment before they are started preventing unsigned drivers or system files from being loaded into system memory. Secure connectivity Secure connections are at the heart of today's interconnected systems. Transport Layer Security (TLS) 1.3 is the latest version of the internet's most deployed security protocol which encrypts data to provide a secure communication channel between two endpoints. HTTPS and TLS 1.3 are now enabled by default on Windows Server 2022 protecting the data of clients connecting to the server. It eliminates obsolete cryptographic algorithms enhances security over older versions and aims to encrypt as much of the handshake as possible. Learn more about supported TLS versions and about supported cipher suites. Secure DNS Encrypted DNS name resolution requests with DNS-over-HTTPS DNS Client in Windows Server 2022 now supports DNS-over-HTTPS (DoH) which encrypts DNS queries using the HTTPS protocol. This helps keep your traffic as private as possible by preventing eavesdropping and your DNS data being manipulated. Learn more about configuring the DNS client to use DoH. Server Message Block (SMB) SMB AES-256 encryption for the most security conscious Windows Server now supports AES-256-GCM and AES-256-CCM cryptographic suites for SMB encryption. Windows will automatically negotiate this more advanced cipher method when connecting to another computer that also supports it and it can also be manda