Microsoft Ignite

November 15-17, 2023

Session: BRK403

Speakers: Jeff Woolsey, Eldon Christensen

[MUSIC]

JEFF WOOLSEY: Greetings everyone. How's everybody doing this morning? We can do better
than that. How's everybody doing this morning? Oh my goodness. It is so great to see you all. I
am so excited. Eldon and I have been anxiously awaiting. This is my partner, Eldon Christensen.
Say hello Eldon everyone.

ELDON CHRISTENSEN: How are you doing?

JEFF WOOLSEY: I'm Jeff. You guys may know me. It is truly a pleasure to be here. We've
been holding the wraps. One of the hardest jobs. Parts of our job is to honestly keep the secrets in,
and we have been waiting for this session for a long time. Without any further ado, this is what's
new in Windows Server v.Next. Let's talk about agenda. First item for bids is your top request,
your number 1, not your number 10, not your number 100, your top request. We're going to get
right to that. We're going to talk next generation active directory and SMB mission critical data
and storage, hyper V and AI, what did he just say? That's right, hyper V and AI. We're going to
talk container flexibility. We're going to talk about another one of your top requests. It's either
number 2 or number 3. Then finally, we're going to talk about a modern server experience. We
are in the takeoff position. Everybody strap yourself in, it's time to talk about Windows Server
V.Next. Let's talk about one of your absolute favorite features. It happens to be used by our
friends over in X box. When it comes to mission critical, the Xbox team has been using Windows
Server Azure Edition hot patching. They absolutely love it. To give you perspective, they have
over 1,000 servers running in 18 different services. They're running between two and 120 SQL
servers and some workloads have been running for over 15 years. This started off completely on
physical, it moved into virtual, and now it's all Azure VMs. Now obviously this is mission critical
because if you can't play your games, that's it, it's end times. Nobody wants to hear about that, it's
big trouble. For patching the team obviously had a way to do this. It's been automated at a
complete process. Hot patching took three weeks out of every month to roll out the updates across
the entire infrastructure without any downtime. This happened of course, 12 times a year. With
Windows Server 2022 Azure Edition, they went to patching all 1,000 servers in less than 48
hours. That is not a typo. First of all, I want to say they sent us candy. It was nice. The Xbox team
is pretty happy about this. They're like this is a massive time saver because this can all happen in
real time. Let me show you, let's talk about hot patching. Hot patching is a new way to install
updates that doesn't require a reboot and won't interrupt your workloads that are running on the
server. Let me quickly describe this demo environment. You can see I've got the right hand and
the left hand side. On the right hand side I have a Window server Core VM that I'm going to
manually install hotpatch updates. I'm doing this as manual as possible, so you can see this. On
the left hand side, for comparison, we have our traditional updates. These are called LCU's, or
Latest Cumulative Updates. This is a traditional update. At the bottom, you can see here I've got
two sample workloads these are file copies. I just want to show you we have an active workload
that, we do not want to disrupt. At the top of this, we've got a timer, so we can actually see in real
time the patching that's going on. Let's go ahead and do a traditional versus a hotpatch. In fact, on
the left hand side, we're going to start with the traditional and I'm going to give it a head start. I'm
going to let that thing start first. On the left hand side is the traditional update and on the right
hand hide, it's done. Did you blink? I'm sorry if you missed it. That's a hotpatch that server is now
secured. It's patched. No reboot was required, my copy continued. I feel bad about that. Let's
actually do a second hot patch. This time you can pay closer attention. We'll do a second hot
patch on the right hand side. Left one's still chugging along, we're at like 12 percent. Here we are
installing a second hot patch, and you can see just like that it's done. Thank you. You can see the
copies continued without interruption, no change. This all happens in memory, there's no reboot
required. This is happening and it's protecting my running process. My security is already
heightened and elevated. On the left hand side, we're still chugging along at that traditional
update. Let me go ahead and speed that up a little bit. I don't have a lot of time and we have a ton
of content. Let's go ahead and speed this up to the end. We're at four minutes, five minutes, six
minutes, seven minutes. Guess what? We're done. Now, reboots required. Now, if I reboot right
now, guess what's going to happen? I'm going to lose my copy. I don't want to do that, so I'm
going to sit around and wait for that. If that isn't impactful, if that isn't showing you why the
Xbox team has deployed this in production and has been using this for months and months and
why they are so happy, I don't know what does now. This is Server Core and I always get asked.
Jeff what about full desktop? We got that covered too. If you're using Windows Server 2022,
Azure Edition, guess what? Whether using server Core or using it with the desktop experience.
Either one, we've got hotpatching, this takes me to your number one request. Since we released
this feature every single day. Jeff, this is great. Hotpatching is a game changing feature, no
reboots, no downtime. Are you kidding me? Please, Microsoft, I am begging you. We need
hotpatching everywhere, Not just Azure Edition running on premises on Azure stack ACI, we
need it including VMware and even other Clouds. We are delivering Arc enabled window server
v. Next hotpatching. What does that mean? It means everybody gets hotpatching, you get
hotpatching. My buddy back here gets hotpatching. You want that on Windows Server Standard
Edition? Done. You want that on data center edition, done. Physical, virtual, other Clouds. That's
right. Other Clouds, everybody gets Hotpatching. Now it's enabled via the Azure Portal with
Azure Arc. Yes, there is a monthly subscription back, going to hide that going to be super
transparent, but it gives you the option to deploy it wherever you'd like. Of course, if you do
continue to run this on Azure or Azure stack, it's no additional charge, it's just included.
Everybody gets hot patching in Windows Server v.Next. Next active directory. Stupid question.
How many of you use active directory? Every hand goes up. Of course you do. It's the gold
standard. It's what we all use for authentication, for identity management. It is the gold standard.
Well, I'm excited about what we're delivering in Next-Gen AD. It starts with something. We're
going to go back and deliver some scalability improvements. If you go back to Active Directory
and Windows 2000. Yes, Windows 2000, the database sizes are 8k in pages. That was great for
Windows 2000. It was okay for 2003, 2008. But as we've gotten bigger and systems have gotten
larger and organizations have gotten bigger, everyone said we're hitting our head on some of
these scalability limitations. In vNext we're moving to 32k pages for the database. Now I want to
be super clear, we're going to make this a transparent transaction. I don't want anybody leaving
this room freaking out, going, my AD is about to go through some catastrophic, major changes,
Super simple. A new domain controller is installed with 32k page database support. Try and say
that three times fast, but it runs in, in an 8k page mode for compatibility. If it's still talking with
legacy domain controllers, all good, it's transparent. You don't know anything about it. An
upgraded domain controller, if you go from an old one to a new one and you do an upgrade, guess
what? Still 8k pages, you need to actually move to a forest-wide and domain wide Windows
Server vNext domain and forest on all your domain controllers and you get this new feature and
this new capability and this new scalability. You will stop running into scalability limitations
there. Now speaking of scalability, one of the other changes we're making, is again, if you look
back at Active Directory, when we launched it back in 2000, it didn't need to support big systems
because the biggest systems that we're shipping were like two and four sockets with one core
each there was no multi core. If you look at Active Directory today, guess what? People are
deploying it on servers that have 32,64,96,128 cores on them. Actually Active Directory doesn't
scale to those. A nice scalability enhancement we've run into for very large organizations is now
we've unlocked that NUMA scalability we will support more than 64 cores with Active Directory
and then there's just security and it's just a laundry list of security. I don't have time to go through
every one of these. But there's a few things I want to point out. The top one, LDAP support for
TLS 1.3. I am super proud of the investments we made in TLS 1.3 and Windows Server 2022.
They are dramatically improving the security for servers everywhere. Now we're bringing this to
LDAP and SCHANNEL support for TLS 1.3. When you're communicating with domain
controllers using confidential attributes connection now requires encryption. This ceased to be
optional, it's now. Nope, you're making those changes. You have to be on an encrypted network.
LDAP prefers encryption by default. Changes to Kerberos PKINIT. Cryptographic changes, huge
changes across the board, all for scalability and security in Windows server. vNext, Active
Directory. One other feature here is replication priority when you're doing an initial replication.
You're doing a replication and sometimes this could be long distances, long sights. You actually
want to give it a boost and say, you know, for this first one, let's actually give it a priority boost,
so this will go faster. Instead of kind of doing this quietly in the background, let's actually push
this forward. That's a new capability and the next as well, we've done some security hardening.
We're getting rid of ancient things like mail slots. The big thing, of course, is there is a new
Active Directory functional level. If you want these features, there's new forest, new domain. In
case you're wondering, because I know someone's going to ask, I'm going to stop you right now.
Jeff, are you going to back port these to the last AD? No, not even remotely close. Please don't
ask. Not going to happen. If you're wondering Jeff, how do I get to this new version? Because I
want all these things, a couple things to point out. You have to be running on at least 2016 or
greater for your domain controllers, if you're running those 2008 in 2012. I'm sorry, I have no pity
for you at this point. Those things are ancient. They are out of support. The last thing you should
be doing is running domain controllers on stuff that old. Make sure you're at least on 2016, so
when the next rolls around, you'll have a smooth transition to the next release. Then of course a
big one and it's AD but really not AD. It's interesting one I got to point to my buddy over here,
Ned, which is local KDC and local Kerb. If you haven't been following Ned and myself on social
media and our blog posts, we are working fervently to get rid of NTLM. It's on its way to
deprecation '90s technology that needs to go and it needs to go bad. We now have local Kerberos
key distribution being built into Windows, not just domain controllers. Kerberos off for local user
accounts. This is a big change. Please be following us on Twitter, be following us on our blogs,
this is a big change and this is a huge positive change for everyone. Eldon, I've been talking for a
while. It's time for you to talk about some cool storage stuff.

ELDON CHRISTENSEN: Thanks Jeff. I was sitting there, we're all scratching our heads like,
how are we going to make a hot patching demo exciting? Because it's like the least exciting demo
ever. We're sitting there scratching our heads going, how are we going to make that exciting?
Because it's just as infrastructure people, the less exciting something is, the better it is. Let's talk
about storage for a second and what's happening around storage. So specifically, let's talk about
NVMe for a minute. We wanted to do a lot of optimizations in vNext, for the next version of
Window server around optimizing for NVMe storage, we want to improve performance and
reduce CPU overhead associated with NVMe devices. Let's take a look. It got a little comparison
of how things are going here. If you look on your left, you're going to see what Window Server
2022 is that you know today. On the right is vNext. You'll notice we're doing 1.1 million IOPs on
the left, and on the right we're doing 1.86. That's a 70 percent increase, in IOPs and you don't
have to do anything, you just have to upgrade. You just have to upgrade from 22 to vNext. And
you're going to be running 70 percent faster than NVMe device.

JEFF WOOLSEY: Anybody interested in a 70 percent performance increase? Yes. Awesome.

ELDON CHRISTENSEN: That's the start. That's where we're at if you go install the window
and server, an insider's build today. But we want to do better. We have a new NVMe native driver
coming, which is going to accelerate performance even greater. Let's look at that same
comparison. If you were to look at what we are today on the left of the 1.1 million IOPs on the
right, we're actually going to at 2.1, that's actually a 90 percent increase using the native NVMe
driver. It's in preview, so it's coming, but you're going to get 70 percent on the insider builds
today and we're going to get you to 90 percent here pretty quick.

JEFF WOOLSEY: Anybody excited about a 90 percent storage increase? Come on.

ELDON CHRISTENSEN: We want to embrace choice in storage. We have storage spaces

direct. If you want to do software defined storage, we have spaces. But some of you love the
storage you've already paid for or embrace SANs. We embrace choice. NVMe over fabric is
emerging as the new block connectivity for storage area networks for SANs. We're going to have
a new NVMe over fabric initiator coming in the next as well. That's going to be in preview, it's
not in the builds today but it's coming soon. I want to give everybody a heads up there. We're
going to embrace NVMe over fabric. Let's talk about a few other storage enhancements that are
coming. Anyone who's using storage replica today, we did a bunch of enhancements with the
storage replica log and so that's going to give you about a 3x performance improvement so
anybody who's using storage replica today, so that's a big performance boost. If you look at some
of enhancements around it. I'm just touching on a few of the things. There's many things we can
be talking about here. Another thing I want to talk about is on ReFS. Today we have dedup and a
NTFS dedup. We have a new ReFS native dedup coming in vNext, what's different about the
two? The NTFS dedup, you know today, is really optimized for cold storage. It's really great with
like a file server, you got some data, you touch it, you modify it, and then it's cold on the back
end and then it's going to be deduped. The new ReFS native dedup is really optimized for hot data
or enables hot data. For example, you've got a bunch of virtual machines. You've got some
VHDs. Those VHDs are always open, the VMs are running and it's optimized for those types of
scenarios as well. Then if you also look at Azure Stack, HCI, Azure stack HCI is on an annual
release cadence. Once a year we release Azure Stack HCI. Then LTSC is on a slightly longer
release cadence. Well, we're going to accrue all that value from the Core OS into Window Server
as well some of those other features you've seen show up in Azure Stack HCI, such as thinly
provision storage spaces, stretch cluster support for storage spaces direct. Those are now going to
accrue value into the next version of Window Server. If we want to take a little bit look at what's
happening in clustering. We do support Active Directory, less AD-less clusters today and a lot of
customers want to go deploy little two node clusters out at the edge. You've got a little remote
store, a factory and then want to reduce the infrastructure as much as possible. We allow AD-less
clusters. Well, if you want to do virtual machines there's one thing that doesn't work and that's
doing live migration of VMs and what good is a Hyper-V deployment without live migration you
can quick migration but nobody wants that. Now you're going to be able to do assert based
authentication for live migration. It has no AD dependencies to be able to do live migration. Now
you're out at your remote facilities where you don't want to have local domain controllers, You
don't want to have dependencies in case Internet connectivity goes down. You can now do
surface live migration. Again I talked about we're going to support stretch clusters and that
storage replica performance improvements is a big piece that's going to enable that. We also did
like a complete rewrite a cluster where updating just to really improve the reliability and stability,
it's now an integrated component into the cluster service.

JEFF WOOLSEY: Love it.

ELDON CHRISTENSEN: With that, I'm going to head back to Jeff.

JEFF WOOLSEY: Thank you, Eldon. Time to switch gears. Love all the storage enhancements.
Now let's switch from storage to compute and Hyper-V, just a quick reminder, I know you
probably know this, but I have to say this, Hyper-V is literally used everywhere, and I cannot
stress this enough. It is a strategically important technology. Let me say that one more time for
the people in back. Hyper-V is a strategically important technology. But don't believe a word I
say. Look at where we're using it, this little thing called Azure. I don't know you heard of that?
That's all Hyper-V. That's the Azure Hypervisor system. The Azure Stack family, Windows
Server, Windows client containers use it. We use it for platform security throughout virtualization
based security. All of that stuff, that's all Hyper-V. Guys, on our an Xbox use it too. By the way,
these are the only thing I can talk to you about. There's also plenty of other things. But it is a
critically, strategically important technology for us, and we continue to innovate. In fact, just to
give you a little a peek, this was something that Mark Russinovich posted earlier this week.
Here's the Azure Hypervisor system. Anybody need a virtual machine with 1,792 virtual
processors with 29.7 terabytes of RAM?

ELDON CHRISTENSEN: Yes, please, is the answer. We're continuing to innovate. When
people say, hey, isn't hypervisor innovation done? We're like no, not even close. This is just one
example. There's a lot more coming. By the way, I should also point out while we're talking about
what's new in vNEXT, there's so much we're not able to even tell you everything. This is only the
first peek at what's new and Window Server vNEXT. Let's talk about Hyper-V and AI. Now
when you think AI, what are you thinking? Well, you saw Jensen onstage with Satia. We were
talking GPUs. Let's talk GPUs for a second. If you look at Windows Server 2022, where we are
today with GPU support, what does that mean? Well, we have GPU with discrete device
assignment, what that means is I can take a full GPU and I can map it inside the virtual machine.
In fact, the host doesn't even see it anymore, it's gone, it doesn't even appear in Device Manager.
It is completely mapped inside the virtual machine. Now, it's great for workloads that need to
consume an entire GPU, but you don't get failover clustering, you don't get live migration and
there's no sharing. It's literally one virtual machine gets all that GPU. Introducing Window Server
vNEXT GPU-P support for GPU partitioning. What does that mean? Thank you. It means you
can share a GPU across multiple virtual machines. You create GPU partitions. You then assign a
partition to a virtual machine that supports that capabilities. In terms of management, of course
there's Power Shell and there's Windows Admin Center through Whack. You have full support
for live migration and failover clustering. Now the first thing I know I'm going to get asked is,
Jeff, can I use this on my 10 year old server? This is what the requirements are. Number one, SR-
IOV is required, which is single root IO-virtualization. It's because you need to have the control
plane in the host and the data plane running in the guest. It's how we can manage live migration.
It requires AMD, Milan or later, or Intel Sapphire Rapids or later. In terms of GPUs, and this is
just a short list, there's more coming. There's a bunch of NVIDIA GPUs and again, both live
migration and high availability are supported. You can do this within a cluster. You can even do
this standalone. If I had two standalone servers with no clustering set up at all, I can live migrate
VMs with GPUs between them with nothing but a network cable. Supported guests; Windows,
Windows Server. But let's actually show it to you. What does GPU-P look like? Right off the bat,
here I am in Windows Admin center, and I want to show you I have four hosts, and each one of
these hosts, right below it, you can see has an NVIDIA, A2GPU inside of each of the host. You
can see I have virtual assigned to each of these. You can see the second host, it has 16 partitions.
Now the rest of them only have four, and I want them to all have the same number of partitions.
Let's actually go and configure the partitions on this GPU. All I'm going to do is select that
system. Click on "Configure partition count". Now I can come in here and select the number of
partitions. I want it to be four, because I want it to match and I want it to be symmetrical with the
rest of the cluster. I want a homogeneous GPU partitioning configuration. Now I've configured
that. I go back in here and you can see now this host has four partitions. But let's go ahead and
now and assign that to a virtual machine. Real simple. Click on "Assign partition". Come in here,
select the virtual machine I want to assign to this partition, and just like that, I click on "assign
partition" and it's done. Now this is configuration. But let me give you a sneak peek at actually
what it looks like in terms of performance. We're going to actually bring up a number of running
virtual machines. Here I am running a traditional HYPERVI/VM. There is no NVIDIA adapter.
You can see it's just the Hyper-V video. This is just stock Hyper-V GPU. I'm going to bring up
another window and you can see this one has the NVIDIA driver in it. You can see there it is,
guest side inside the virtual machine, I have given that partition to it. Let's fire up a couple of
GPU tests. On the right hand side, we're going to go ahead and bring up the web sample of our
aquarium. You can see there's 500 fish selected, and it's running at a whopping four frames per
second. No GPU acceleration, it's just synthetic video. Not surprise. Again, that's only 500 fish. If
we go to the left hand side, let's go ahead and fire this up. This is 5,000 fish, so it's 10 times more,
and we're getting 30 frames per second. Now, I do want to keep in mind this is multiple RDP
sessions, so if it looks a little chunky, it's because we're actually doing multiple RDP sessions.
Let's bring up a second window and you can see, by the way, it's still doing 30 frames per second.
There's no drop because they are individually partitioned between the virtual machines. Let's
bring up a third one. Again, 30 frames per second. Fish are flying pretty well, and just for giggles,
we actually brought up a fourth one, doing something completely different, just rendering some
video. GPU partitioning allows you to take assigned GPU partitions to virtual machines so that
you can use it for whatever you're looking for in terms of workloads running inside the virtual
machines. Now, that isn't all we've done with GPUs. I told you we have GPU with DDA today,
with device assignment, we improve this as well. There are people that still like the fact that I can
take a full GPU and just map it inside the virtual machine and it's the full GPU. But we wanted to
improve that with high availability, so we're introducing GPU pools. This is so you can group
GPU pools to get high availability. On every node, you create a PCI Express resource pool with
the same name and add the GPUs to the pool so that during a failover, guess what, cluster will
start the VM on another and assign the GPU to the virtual machine and you will continue in a
clustered environment. I do want to point out this is HA only. This is not live migration. It really
will never be live migration because it's DDA. You get that with GPU partitioning. In addition,
on the hyper-V side, we're also bringing dynamic processor compatibility to hyper-V. This is
great for folks like yourself that say, hey, Jeff, last year we bought a cluster and it's Intel Zion,
Scalable third generation. I realized, I bought four nodes and I really should have bought six, so I
went back to my partner and I said, hey, can I get two more? They said, well, we don't sell that
anymore. We sell the fourth generation. With dynamic processor compatibility, you can add new
hosts to the cluster, and the way this works is when the systems are actually coming up, clustering
looks at all of the processors across the cluster and it determines, what are all of the processor
features that are available if this is a homogeneous set? If this was all third gen, they're going to
get the full compatibility. But if this is third and fourth gen, it's going to look all crosses and go,
well wait a minute, you have third gen but the fourth gen have these additional features, we're
going to mask those off. It means you get maximum performance, you get maximum
compatibility, and it makes it easier to scale out your hardware. Also on the hyper-V front, this
has been around for a while. Generation 2 virtual machines, this has been around since 2012. But
I want to urge/stomp up my feet, if you're using hyper-V Generation 1 VMs, you need to stop.
Generation 2 VMs, we're going to make this the default. We've been defaulting to Generation 1
for far too long. There's some big advantages with Generation 2 virtual machines, performance
and scale. Generation 1 VMs are limited to 64 virtual processors, you can go all the way up to
240 if you're running Generation 2. You also get secure boot, you get TPM, you get a UV
firmware and you get dynamic features like how to add capabilities that you don't get on
Generation 1. It's a no brainer. Every single OS that we support is already supported in
Generation 2. We're going to make that default for all of our guys. That's for in Hyper-V manager
and Windows Admin center and more. We've talked about storage, we've talked about AD, we've
talked about going NTLM less. Let's talk a little bit about networking. Again, not a lot of time, so
I'm going to breeze through this one. There's a bunch of stuff coming to networking. Network,
ATC, intent based networking deployment one click deployment and drift remediation.

JEFF WOOLSEY: You basically point to an adapter and say, what does this adapter do? Does
this do storage? Great. We're going to configure this for storage. We're going to configure all of
the offloads and everything you need to do in hard. We're going to take care of that for you. If it
drifts, we'll fix it for you. Network HUD, always on alerting and remedial operational for network
issues. Who doesn't need help solving network issues? Guess what? Network HUD is there to
help you with that. SDN multi site, so you need to move workloads between multiple sites. You
got containers, you got cube. Guess what? It's all transparent with SDN multisite. Again, don't
have a lot of time. I'm going to continue right along. Massive gateway performance
improvements in the SDN gateway. There's a whole bunch of stuff we're doing with Hybrid AKS
to make all of this seamless, high performing, low CPU utilization and more flexibility across
multi sites. Speaking of AKS containers, we've been doing so much work on containers starting
all the way back in 2016, 2019, 2022, and we have kept our foot on the gas pedal in vNext, the
container base image portability. You can now run window server 2020 containers on vNext, and
you don't need to upgrade the base image, it just works. It's there. We've reduced the image size
with smaller Deltas. We've improved app compact very quietly for nano server. Nano server is
that teeny tiny little container image we have. It's less than 100 megabytes, it's 64 bit only. It's
optimized for Cloud native development. It's quietly, very, very popular. The downloads we see
for this are mind blowing, and this is just a sneak peek at some of the things in containers. Time
for me to pass it back to Eldon to talk about next generation file services.

ELDON CHRISTENSEN: Thanks Jeff. Let's talk about file servers and file services. Let me
talk about SMB over QUIC for a second. What SMB over QUIC is it allows you to do secure
connectivity, secure and encrypted with TLS 1.3 connections over the Internet. This is a feature,
we actually introduced it in the Azure Edition Window Server 2022 Azure Edition. We've just
had a lot of people clamoring for it and saying, I really want this feature, it is amazing. Please
give it to me beyond just Azure Edition. You asked for it and so we listened and so one of the
things that's coming in vNext is we're going to be having quick available in all editions of
window server, whether it be data center standard and everything else.

JEFF WOOLSEY: Hold on, Eldon, hold on. You get SMB over QUIC. You get SMB over
QUIC. Sorry, I'm done. I'm done.

ELDON CHRISTENSEN: It's coming everywhere. Let me show you. Maybe you haven't heard
of SMB over QUIC before, so let me just show you what it is, we'll walk through the scenario.
I'm going to do a little demo here. We're going to open up just a doc on a local file server.
Imagine we're sitting on our laptop in our network in my office. We go open a file, of course we
always going to have pictures in any SMB demo of Ned's dogs are always in every demo. So
we've got a little dock with a bunch of Ned's dogs in it, and we can see we've got access to the
dock. What we're going to do now is I'm going to log off. Let's imagine, I'm going to get my
laptop, I'm going to go decide I want some coffee, and I'm going to go walk over to a coffee shop.
Now what I'm going to do is I'm going to try to open that same dock. I'm going to go, I got a dock
sitting on my file server. I'm going to try to access it. I'm going to open that up. As we know for
the last 20 years, you can't just go to your laptop, and just click on a file that's on your file server
sitting in your data center. You'd have to configure like a VPN. You'd have to connect in to be
able to do that. Very cumbersome. Now I can just go into whack, so I can go into whack and
you'll see that config SMB over QUIC for Internet access over the internet. I can then look and
assign a cert from my cert repository for it. And then I can decide how do I want to connect to
that, so I can assign what name do I want to make available to that. Then I'm just going to go and
say okay. It's really just that simple, so I'm going to go enable that. Now it's configured, now let's
go do that same thing. I'm on my laptop in the coffee shop. I'm going to try to open that same doc.
Now I'm able to access that securely over the Internet from the coffee shop and open the file. If
you look at the protocol now, if we go look, you can now see you're actually accessing and
opening that file using QUIC. That's the protocol. Now you have complete access to your data
from your file servers no matter where you are. We introduced SMB over QUIC in Window
server 22. Now it's come in to all editions, but we're continuing to innovate on what you know in
22. What you saw there was that you can configure access on the server side. You can also now
in vNext access, assign access from the client side. You can say only these clients are allowed to
access. In addition to just turning it on, so you can control who can have access to it as well. We
also are bringing some more flexibility around disabling NTLM. Imagine you, on your server,
have some legacy app that you need NTLM enabled for, but you want to disable it for SMB. Now
we have the ability to disable NTLM at an SMB level. We expose that via group policies, via
power shell. Now you have greater control on disabling NTLM. Let's talk about brute force
attacks for a second. These have been around forever. It's brute force attack where you're just
going to try to different passwords. You're trying password 1, password 2, password 3. Whether
you're going to do dictionary a tacks where you're taking common words in the dictionaries and
trying to come up with combinations of them. Brute force attacks have been around forever. One
of the things that we have coming in vNext is that we put in an SMB authentication limiter.
Basically, it only allows a source to authenticate. We put into basically a two second delay. That
slows down the amount of authentications that can happen. For example, let's take this scenario.
If you're going to do 300 brute force attacks, a second for five minutes. You're going to get
90,000 password attempts. That what would take normally five minutes you could accomplish
from a brute force attack in five minutes will now take about five hours. That's just slowing down
and having a limiter on how fast those brute force attacks can happen. That's just trying to
provide some more protection from brute force attacks.

JEFF WOOLSEY: Actually, it's 50 hours, not five.

ELDON CHRISTENSEN: Did I say five?

JEFF WOOLSEY: You said 50.

ELDON CHRISTENSEN: Thank you. That's a zero. Let's talk about SMB signing. SMB
signing is available in Window Server 22 as you know today. But now we're just trying to make
the system secure by default, SMB signing is set to required for vNext. That's just about, we're
trying to raise the bar and make the system secure by default, so you just install it and you don't
have to think about it and you're going to be secure by default. We also give more control around
SMB dialect. So if you want to talk SMB 2, SMB 3 and giving you greater control with that. Let
me show you what that looks like. You can actually go into group policy and you'll notice that
there's that you can mandate a minimum version of what you want to have the protocol version.
You can say, I don't want to talk anything lower than a specific version. You can also say if you
want to have a maximum version. This just gives you greater control that if you want to say what
versions of SMB you want to allow to be communicating on your network. In making the OS
more secure by default. We also want to provide some more hardening of the SMB firewall rules.
A lot of the firewall rules we're actually pretty old from back in the day and specifically around
like NetBIOS. A lot of the NetBIOS, when you install a file server, we punch open all the firewall
ports around NetBIOS. What we're doing is that we're saying, hey, let's dial back on some of
these legacy requirements by default, and to make the system more secure by default. Again here
you can just look at. Firewall rules are still there. You can quit easily go turn them back on if you
want to. But we're just trying to make the system more secure by default in the way the system
ships. This is just the beginning. We're going to continue to work on this and insiders, and we're
going to be trying to harden more of the ports, and just trying to open as little as possible for what
is a modern system. This is the one that probably gets me the most jazzed up, I'm going to be
honest. This is the one that gets me really excited. Getting to v.Next is going to be the easiest
you've ever had. As you know on your Windows 11 devices, what do you do when a new update
comes out, a new version comes out? You just open Windows update, you see a little thing that
says, oh, the next version of Windows is available and you want to upgrade. You just say, yeah.
You click the button and then it sucks it down. You do a single reboot and walla, you're up and
running on the next version. Upgrading Windows servers we've never had that. It's always been
really hard. We are now going to have that in v.Next. You're going to be able to just go into
Windows Update, you're going to see the latest update, you're just be able to hit Update and it's
going to update your system from the old version of the new version. If you're running like on
Azure for example, it's very difficult to try to present the set up media into the VM. It's very hard
to upgrade this. Specifically if you're running your VMs in the Cloud, you're really going to get a
great advantage in the simple upgrade story and getting the v.Next. Now it's fully manageable and
controllable. Some of you are probably going I don't want my junior admins just like opening
windows update and going cool next version and hasn't been approved. It's all group policy
controlled. For everybody here don't totally freak out. But the goal is we're going to make it really
simple to stay current, get current, stay current. We're putting a lot of effort into ensuring apcopat
to relieve the burdens on me. Your ability to upgrade to the next version. That burden is on me to
ensure appcompat. The days of 15 years ago, 20 years ago, where there would be all these
breaking changes on a version upgrade that is not the way we think anymore. You shouldn't go
spend a year validating every single app and doing all these full test passes and making sureing
everything works, and being super scared before you hit the upgrade button. That burdens on me
that I want to make sure that you can upgrade with confidence. There's a lot of people who are
going to the Cloud. There's a lot of people who want to stay on Prem or are going to have part of
their install base be on Prem for a period and I embrace that. I embrace if you want to stay on
Prem. They say, hey, how do you bring the power of Azure to me? You're doing all this great
innovation in Azure, how can I take advantage of it on prem? Arc is our strategy around how we
bring those services to you in a hybrid model. Today enabling Arc is pretty tedious. It's a power
shell script, it isn't very easy. One of the things we're doing in v.Next is we're just easy button
here. It's just we have a little Wizard and you can go install this and you can get Arc enabled very
simply and on a server starting with v.Next. actually we backported some of this for 22 as well.
We're also bringing a bunch of foundational work to V.Next. For example, WiFi, we've had
people say like, hey, I have servers that are out in a branch office and WiFi connectivity is very
fast. Now, we don't have WiFi. WiFi is now, there. Other things we're bringing bluetooth. People
are I want my Bluetooth mouse to be able to work with one server. We brought Bluetooth.
Bluetooth is now there too. We're bringing some of the foundational things which I just consider
fundamentals. These are fundamentals which may be the way we thought of servers 10 years ago
as the world has evolved. We're modernizing Window Server. Then another thing I want to talk
about is we're going to have a new model for purchasing Window Server. As you may be familiar
with Adrostak HCI, it's what we call a pay-as-you-go model. A pay-go model where you can bill
through Azure, your Azure Stack, HCI. SQL Server, and their last version also introduce Pay Go
and the ability to switch from a CapEx model to an OpEx model. Instead of just buying a
perpetual license, you can now buy effectively a subscription and pay as you go and what you
want to pay for. We are also going to introduce this in the next version of Window Server. When
you install Window Server, you'll have the ability to effectively select. Here you'll have a radio
button and you can choose to say use a product key. Which is the same way you've been
acquiring Window Server with a perpetual license for the last 20 years. You get a key, you put it
in, and then you have the perpetual license. Whatever purchasing models are used today will all
still be there. But you can also choose this new pay as you go. When you select pay as you go, we
are then going to enable it through Arc and we're going to bill through Azure Commerce. You
can have a single billing system whether you have that small number of systems which are on
Prem. Let's say you've moved most of stuff to the Cloud, but you've got a few things left on Prem
you don't want to have two purchasing models or you want to switch to an Opex purchasing
model. You can do that as well. This kind of the scenarios we think about with this is it'll be very
flexible. Let's say you got Window Server standard addition gives you two VM rights. You need
like a third or fourth or you have Christmas birth scenarios. You need to scale up for a month or
two and you want to scale back down, you just want some burst scenario. We think those are kind
of some of the interesting scenarios where people may want more subscription based pricing for
Window Server. Excited about licensing, we thought that was going to be the most exciting slide
license. Everybody wants to talk about licensing. This is one I just want to address. People ask
questions, hey, what's the story going to be for M 365 apps running on Window Server today and
on the next version? This is important for everybody running remote desktop services. You're
running to services and you're running it on Prem, and having M365 app support is critical to you,
we embrace you, we love you it's not going anywhere. That's the key message I want to deliver
here. Today we support M365 on Window Server 22 for the mainstream support cycle. That's the
first five years of the release. Then we do releases, as you know, every two to three years of
Windows Server. We're going to continue that story with V next. Again, v.Next, we will support
M 365 apps on v.Next for the first, for the mainstream support cycle. It's a really easy story. We
first five years of support, we releases every two to three years. As long as you stay current, you
stay secure, you stay supported. We've got a link there we can learn more so we support you.
With that, Jeff, take us home.

JEFF WOOLSEY: Thank you Eldon. Hot patching for everyone. Big changes in active
directory, big changes in hyper V, GPU's, scalability, performance security, moving to an NTLM
less world. I love just saying that makes me so happy. Container innovation, desktop experience,
innovation S&B over quick for everyone. If you haven't gotten excited yet. One last thing. We
still haven't shown you everything.

ELDON CHRISTENSEN: You still are.

JEFF WOOLSEY: There's some still a bunch of stuff that we're still holding back. You're going
to have to follow us and the best way to do that is download the Windows Server v.Next insider
builds please. You can start playing with some of this stuff already. Who doesn't want a 70
percent performance improvement for their storage on NVME? It is ridiculous. I showed my
friend Bob the other day over in SQL. He's an architect. He was like, boom. He's I'm going to
have my guys run hammer DB on this thing immediately he was so excited. If you want to learn
more, download the Windows Server v.Next from insiders and we would love to get your
feedback. We're celebrating 30 years of Windows Server this year, and it's for folks like you in
this room. Thank you so much for your support. We're so excited to deliver more features, more
capabilities, and more innovation. Are there any features we're missing? Are there things that
you'd like to see in desktop experience? Do your VM's run as expected? We all want to hear
about it. Follow us at Windows Server Insiders Community at: Microsoft.com. With that, I want
to say thank you very much. Please fill out your surveys. If you enjoyed this session, my name is
Jeff Woolsey and this is Eldon Christensen. If you did not enjoy this session, my name is Jeffrey
Snover and this is Mark Russinovich. (Jeff Woolsey and Eldon Christensen) Thank you very
much. END