What’s New in Windows Server 2016

This article discusses some of the latest features in Windows Server 2016 that are likely to have a significant impact on your experience with this release.


The Virtualization aspect encompasses the tools and features that IT professionals use to design, deploy, and maintain Windows Server.


Both physical and virtual machines now benefit from improved time accuracy thanks to enhancements in the Win32 Time and Hyper-V Time Synchronization Services. Windows Server is now able to host services that comply with upcoming regulations, which require a 1ms accuracy in relation to UTC.


  • What's new in Hyper-V on Windows Server 2016, Client Hyper-V running on Windows 10, and Microsoft Hyper-V Server 2016. This topic provides detailed explanations on the new and modified functionalities of the Hyper-V role in Windows Server 2016.

  • Windows Containers: Windows Server 2016 container support brings performance improvements, simplified network management, and support for Windows containers on Windows 10. For additional information on containers, check out “Containers: Docker, Windows, and Trends.”

Nano Server

The Nano Server has received updates, including an enhanced module for creating Nano Server images. These updates provide better segregation between the physical host and guest virtual machine functionality, as well as support for various Windows Server editions. Other improvements include a more refined Recovery Console that separates inbound and outbound firewall rules, and the ability to repair WinRM configurations.

Shielded Virtual Machines

Windows Server 2016 introduces a new Hyper-V-based Shielded Virtual Machine for the purpose of protecting any Generation 2 virtual machine from a compromised fabric. The following features have been introduced:

  • A new mode called “Encryption Supported” that offers greater protection than a regular virtual machine, but less than the “Shielded” mode. This mode still supports vTPM, disk encryption, Live Migration traffic encryption, and other features, including conveniences like virtual machine console connections and PowerShell Direct.

  • Full support for converting existing non-shielded Generation 2 virtual machines into shielded virtual machines, with the addition of automated disk encryption.

  • Hyper-V Virtual Machine Manager can now view the fabrics on which a shielded virtual machine is authorized to run. This allows the fabric administrator to access a shielded virtual machine’s key protector (KP) and view the authorized fabrics.

  • Attestation modes on a running Host Guardian Service can be switched. It is now possible to switch between the less secure but simplified Active Directory-based attestation and TPM-based attestation.

  • End-to-end diagnostics tooling based on Windows PowerShell that can detect misconfigurations or errors in both guarded Hyper-V hosts and the Host Guardian Service.

  • A recovery environment that securely troubleshoots and repairs shielded virtual machines within the host fabric. This environment provides the same level of protection as the shielded virtual machine itself.

  • Host Guardian Service support for existing safe Active Directory instances, enabling the use of an existing Active Directory forest instead of creating a new instance.

READ  Windows 11: A Closer Look

For more information and instructions on working with shielded virtual machines, refer to the article “Guarded Fabric and Shielded VMs.”

Identity and Access

The Identity and Access features improve organizations’ ability to secure their Active Directory environments and facilitate migration to cloud-only or hybrid deployments, where some applications and services are hosted on-premises and others are in the cloud.

Active Directory Certificate Services

AD CS in Windows Server 2016 offers increased support for TPM key attestation. Smart Card KSP can now be used for key attestation, and devices not joined to the domain can use NDES enrollment to obtain certificates that can be attested for keys residing in a TPM.

Active Directory Domain Services

Active Directory Domain Services includes enhancements that help organizations secure their Active Directory environments and provide better identity management experiences for both corporate and personal devices. For more information, see “What’s new in Active Directory Domain Services (AD DS) in Windows Server 2016.”

Active Directory Federation Services

Active Directory Federation Services in Windows Server 2016 introduces new features that enable the configuration of AD FS to authenticate users stored in Lightweight Directory Access Protocol (LDAP) directories. Learn more in the article “What’s New in AD FS for Windows Server 2016.”

Web Application Proxy

The latest version of Web Application Proxy focuses on new features that enable publishing and pre-authentication for various applications, improving the user experience. It includes pre-authentication for rich client apps like Exchange ActiveSync and wildcard domain support for easier publishing of SharePoint apps. Additional details are available in the document “Web Application Proxy in Windows Server 2016.”


The Management and Automation area provides useful tools and reference information for IT professionals who manage Windows Server 2016, including Windows PowerShell.

Windows PowerShell 5.1 introduces significant new features, like support for working with classes, enhanced security features, improved usability, and better control and management of Windows-based environments. For more details, refer to the article “New Scenarios and Features in WMF 5.1.”

Some other new administration features include:

  • The ability to run PowerShell.exe locally on Nano Server (no longer restricted to remote usage).

  • New Local Users & Groups cmdlets to replace the GUI.

  • Enhanced PowerShell debugging support.

  • Added support in Nano Server for security logging & transcription and JEA (Just Enough Administration).

For additional information, see the article “Administration in Windows Server 2016.”

PowerShell Desired State Configuration (DSC) in Windows Management Framework (WMF) 5

Windows Management Framework 5 includes updates to Windows PowerShell Desired State Configuration (DSC), Windows Remote Management (WinRM), and Windows Management Instrumentation (WMI). If you want to test the DSC features, check out the series of blog posts on PowerShell DSC validation. To download, visit Windows Management Framework 5.1.

PackageManagement unified package management for software discovery, installation, and inventory

Windows Server 2016 includes a new PackageManagement feature (formerly known as OneGet) that automates software discovery, installation, and inventory (SDII). Whether you are working locally or remotely, with any installer technology or software location, IT professionals and DevOps can utilize the PackageManagement feature. For more information, see the PackageManagement Wiki.

PowerShell enhancements to assist digital forensics and help reduce security breaches

To aid the team responsible for investigating compromised systems (the “blue team”), additional PowerShell logging and other digital forensics functionalities have been implemented. Furthermore, new features have been introduced to mitigate vulnerabilities in scripts, such as constrained PowerShell and secure CodeGeneration APIs. You can find more information in the “PowerShell ♥ the Blue Team” blog post.

READ  Everything You Should Know About the Release of Windows 7


The Networking segment includes networking products and features that IT professionals can utilize for designing, deploying, and maintaining Windows Server 2016.

Software-Defined Networking

You can now mirror and route traffic to new or existing virtual appliances. This, combined with a distributed firewall and Network security groups, allows you to dynamically segment and secure workloads in a manner similar to Azure. Additionally, the entire Software-defined networking (SDN) stack can be deployed and managed using System Center Virtual Machine Manager. Docker can also be used to manage Windows Server container networking, associating SDN policies with both virtual machines and containers. For more information, see the article “Plan a Software-Defined Network Infrastructure.”

TCP performance improvements

Improvements have been made to TCP performance, including an increase in the default Initial Congestion Window (ICW) from 4 to 10, and the implementation of TCP Fast Open (TFO). TFO reduces the time required to establish a TCP connection, and the increased ICW facilitates the transfer of larger objects in the initial burst. Together, these enhancements significantly reduce the time needed to transfer Internet objects between the client and the cloud. To improve TCP behavior during packet loss recovery, TCP Tail Loss Probe (TLP) and Recent Acknowledgment (RACK) have been implemented. TLP aids in converting Retransmit TimeOuts (RTOs) to Fast Recoveries, while RACK reduces the time required for Fast Recovery to retransmit a lost packet.

Security and Assurance

Security and Assurance includes security solutions and features for deploying in both data center and cloud environments. For information on security in Windows Server 2016, see the “Security and Assurance” document.

Just Enough Administration

Just Enough Administration in Windows Server 2016 is a security technology that enables delegated administration for anything managed with Windows PowerShell. Capabilities include the ability to run under a network identity, connect over PowerShell Direct, securely copy files to or from JEA endpoints, and configure the PowerShell console to launch in a JEA context by default. For more details, refer to the JEA documentation on GitHub.

Credential Guard

Credential Guard utilizes virtualization-based security to isolate secrets, making them accessible only to privileged system software. Find more information in the article “Protect derived domain credentials with Credential Guard.”

Remote Credential Guard

Credential Guard includes support for RDP sessions, ensuring that user credentials remain on the client side and are not exposed on the server side. This also enables Single Sign-On for Remote Desktop. For more information, see “Protect derived domain credentials with Windows Defender Credential Guard.”

Device Guard (Code Integrity)

Device Guard strengthens security by providing kernel mode code integrity (KMCI) and user mode code integrity (UMCI) through the creation of policies that dictate which code can run on the server. An introduction to Device Guard can be found in the article “Introduction to Windows Defender Device Guard: virtualization-based security and code integrity policies.”

Windows Defender

Windows Server 2016 comes with Windows Defender Antimalware installed and activated by default. Though the user interface for Windows Server Antimalware is not installed, Windows Server Antimalware will still update antimalware definitions and protect the computer without the UI. If necessary, the user interface can be installed via the Add Roles and Features Wizard.

READ  What Is OneDrive?

Control Flow Guard

Control Flow Guard (CFG) is a platform security feature developed to combat memory corruption vulnerabilities. Additional information can be found in the “Control Flow Guard” article.


Windows Server 2016 introduces new features and enhancements for both software-defined storage and traditional file servers. Here are a few of the new features, with more details available in the “What’s New in Storage in Windows Server 2016” article.

Storage Spaces Direct

Storage Spaces Direct allows the creation of highly available and scalable storage using servers with local storage. It simplifies the deployment and management of software-defined storage systems, opening up the use of new disk devices like SATA SSD and NVMe, which were not previously compatible with clustered Storage Spaces with shared disks. For more info, see “Storage Spaces Direct.”

Storage Replica

Storage Replica enables block-level synchronous replication between servers or clusters for disaster recovery purposes. It also allows stretching of a failover cluster between sites. Synchronous replication mirrors data with crash-consistent volumes, ensuring zero data loss at the file-system level. Asynchronous replication provides the option to extend sites beyond metropolitan ranges, with the trade-off being the possibility of data loss. For more details, refer to “Storage Replica.”

Storage Quality of Service (QoS)

With Storage Quality of Service (QoS), you can monitor storage performance across Hyper-V and CSV clusters, creating management policies that help centralize performance monitoring. For more information, refer to “Storage Quality of Service.”

Failover Clustering

Windows Server 2016 introduces various new features and enhancements for the Failover Clustering feature, which enables the grouping of multiple servers into a single fault-tolerant cluster. Some of the new additions include:

Cluster Operating System Rolling Upgrade

This feature allows administrators to upgrade the operating system of cluster nodes from Windows Server 2012 R2 to Windows Server 2016 without interrupting Hyper-V or Scale-Out File Server workloads. Upgrading with Cluster Operating System Rolling Upgrade helps avoid downtime penalties against Service Level Agreements (SLAs). More information is provided in the article “Cluster Operating System Rolling Upgrade.”

Cloud Witness

Cloud Witness is a Failover Cluster quorum witness type in Windows Server 2016 that leverages Microsoft Azure as the arbitration point. Functioning like any other quorum witness, the Cloud Witness receives a vote and participates in the quorum calculations. To configure Cloud Witness as a quorum witness, use the Configure a Cluster Quorum Wizard. For more details, refer to “Deploy Cloud Witness.”

Health Service

The Health Service improves day-to-day monitoring, operations, and maintenance of cluster resources on a Storage Spaces Direct cluster. Detailed information about Health Service can be found in the article “Health Service.”

Application Development

Internet Information Services (IIS) 10.0

IIS 10.0, the web server in Windows Server 2016, offers several new features, including support for the HTTP/2 protocol, which enhances load times for web pages by improving connection reuse and decreasing latency. IIS 10.0 can be run and managed in Nano Server, and it now supports Wildcard Host Headers, making it easier to set up a web server for a domain and serve requests for any subdomain. A new PowerShell module called IISAdministration is available for managing IIS. For more details, refer to the “IIS” article.

Distributed Transaction Coordinator (MSDTC)

Microsoft Windows 10 and Windows Server 2016 introduce three new features:

  • A new interface for Resource Manager Rejoin, which allows resource managers to determine the outcome of an in-doubt transaction after a database restarts due to an error. Refer to the documentation for IResourceManagerRejoinable::Rejoin.

  • The DSN name limit has increased from 256 bytes to 3072 bytes. See IDtcToXaHelperFactory::Create, IDtcToXaHelperSinglePipe::XARMCreate, or IDtcToXaMapper::RequestNewResourceManager for further details.

  • Improved tracing that includes an image file path in the trace log file name. This helps locate the correct trace log file to check. Check out the documentation on configuring tracing for MSDTC in “How to enable diagnostic tracing for MS DTC on a Windows-based computer.”

By following these guidelines, you can craft an engaging and informative article that effectively presents the new features of Windows Server 2016. Remember to maintain an approachable and friendly tone throughout, ensuring that readers feel like they are having a casual conversation with a trusted friend.

Related Posts