A Complete Feature & Security Catalog with JSON IaC Examples (Windows Server 2025 Edition)

Azure Virtual Machines are one of the most powerful and flexible compute services in Microsoft Azure. Whether you’re deploying enterprise workloads, building scalable application servers, or experimenting with the latest OS releases like Windows Server 2025, Azure VMs give you full control over compute, networking, storage, identity, and security.

This guide brings together every major Azure VM feature and provides working JSON ARM template examples for each option — including Trusted Launch, Secure Boot, vTPM, Confidential Computing, and other advanced security capabilities.

What are Azure Resource Manager templates (ARM)? Read this first for more information about the basic of JSON templates

This is the unified reference  — now available in one place.

---

Table of Contents

1. Compute & VM Sizes
2. OS Images (Windows Server 2025)
3. OS Disk Options
4. Data Disks
5. Networking
6. Public IP Options
7. Boot Diagnostics
8. Managed Identity
9. VM Generation (Gen2)
10. Availability Options
11. VM Extensions
12. Disk Encryption
13. Azure AD Login
14. Just-In-Time Access
15. Defender for Cloud
16. Load Balancer Integration
17. Private Endpoints
18. Auto-Shutdown
19. Spot VM
20. Azure Hybrid Benefit
21. Dedicated Host
22. Backup
23. Update Management
24. Azure Compute Gallery
25. VM Scale Sets
26. WinRM
27. Guest Configuration
28. Trusted Launch (Secure Boot, vTPM, Integrity Monitoring)
29. Confidential Computing (AMD SEV‑SNP / Intel TDX)
30. Additional Security Hardening Settings
31. Resource Locks

---

1. Compute & VM Sizes

"hardwareProfile": {
  "vmSize": "D4s_v5"
}

---

2. OS Image (Windows Server 2025)

"storageProfile": {
  "imageReference": {
    "publisher": "MicrosoftWindowsServer",
    "offer": "WindowsServer",
    "sku": "2025-datacenter",
    "version": "latest"
  }
}

---

3. OS Disk Options

Premium SSD

"osDisk": {
  "createOption": "FromImage",
  "managedDisk": {
    "storageAccountType": "Premium_LRS"
  }
}

Standard SSD

"osDisk": {
  "createOption": "FromImage",
  "managedDisk": {
    "storageAccountType": "StandardSSD_LRS"
  }
}

---

4. Data Disks

Premium SSD

"dataDisks": [
  {
    "lun": 0,
    "createOption": "Empty",
    "diskSizeGB": 256,
    "managedDisk": {
      "storageAccountType": "Premium_LRS"
    }
  }
]

Ultra Disk

"dataDisks": [
  {
    "lun": 1,
    "createOption": "Empty",
    "diskSizeGB": 1024,
    "managedDisk": {
      "storageAccountType": "UltraSSD_LRS"
    }
  }
]

---

5. Networking

NIC Configuration

{
  "type": "Microsoft.Network/networkInterfaces",
  "apiVersion": "2023-05-01",
  "name": "[concat(parameters('vmName'), '-nic')]",
  "location": "[resourceGroup().location]",
  "properties": {
    "ipConfigurations": [
      {
        "name": "ipconfig1",
        "properties": {
          "subnet": {
            "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', 'vnet', 'default')]"
          },
          "publicIPAddress": {
            "id": "[resourceId('Microsoft.Network/publicIPAddresses', concat(parameters('vmName'), '-pip'))]"
          }
        }
      }
    ]
  }
}

Accelerated Networking

"properties": {
  "enableAcceleratedNetworking": true
}

---

6. Public IP Options

{
  "type": "Microsoft.Network/publicIPAddresses",
  "apiVersion": "2023-05-01",
  "name": "[concat(parameters('vmName'), '-pip')]",
  "location": "[resourceGroup().location]",
  "sku": { "name": "Standard" },
  "properties": {
    "publicIPAllocationMethod": "Static"
  }
}

---

7. Boot Diagnostics

Managed Storage

"diagnosticsProfile": {
  "bootDiagnostics": {
    "enabled": true
  }
}

Storage Account

"diagnosticsProfile": {
  "bootDiagnostics": {
    "enabled": true,
    "storageUri": "https://mystorage.blob.core.windows.net/"
  }
}

---

8. Managed Identity

System Assigned

"identity": {
  "type": "SystemAssigned"
}

User Assigned

"identity": {
  "type": "UserAssigned",
  "userAssignedIdentities": {
    "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'myIdentity')]": {}
  }
}

---

9. VM Generation (Gen2)

"securityProfile": {
  "uefiSettings": {
    "secureBootEnabled": true,
    "vTpmEnabled": true
  }
}

---

10. Availability Options

Availability Set

"availabilitySet": {
  "id": "[resourceId('Microsoft.Compute/availabilitySets', 'myAvailSet')]"
}

Availability Zone

"zones": [ "1" ]

Proximity Placement Group

"proximityPlacementGroup": {
  "id": "[resourceId('Microsoft.Compute/proximityPlacementGroups', 'myPPG')]"
}

---

11. VM Extensions

Custom Script Extension

{
  "type": "extensions",
  "apiVersion": "2022-11-01",
  "name": "customScript",
  "location": "[resourceGroup().location]",
  "properties": {
    "publisher": "Microsoft.Compute",
    "type": "CustomScriptExtension",
    "typeHandlerVersion": "1.10",
    "settings": {
      "fileUris": [
        "https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/sample.ps1"
      ],
      "commandToExecute": "powershell.exe -ExecutionPolicy Unrestricted -File sample.ps1"
    }
  }
}

Domain Join Extension

{
  "type": "Microsoft.Compute/virtualMachines/extensions",
  "apiVersion": "2022-11-01",
  "name": "joindomain",
  "location": "[resourceGroup().location]",
  "properties": {
    "publisher": "Microsoft.Compute",
    "type": "JsonADDomainExtension",
    "typeHandlerVersion": "1.3",
    "settings": {
      "Name": "contoso.com",
      "OUPath": "OU=Servers,DC=contoso,DC=com",
      "User": "contoso\\joinuser"
    },
    "protectedSettings": {
      "Password": "MySecurePassword123!"
    }
  }
}

DSC Extension

{
  "type": "Microsoft.Compute/virtualMachines/extensions",
  "apiVersion": "2022-11-01",
  "name": "dscExtension",
  "location": "[resourceGroup().location]",
  "properties": {
    "publisher": "Microsoft.Powershell",
    "type": "DSC",
    "typeHandlerVersion": "2.83",
    "settings": {
      "configuration": {
        "url": "https://mystorage.blob.core.windows.net/dsc/MyConfig.ps1.zip",
        "script": "MyConfig.ps1",
        "function": "Main"
      }
    }
  }
}

---

12. Disk Encryption

SSE with CMK

"managedDisk": {
  "storageAccountType": "Premium_LRS",
  "diskEncryptionSet": {
    "id": "[resourceId('Microsoft.Compute/diskEncryptionSets', 'myDiskEncSet')]"
  }
}

Azure Disk Encryption (BitLocker)

{
  "type": "Microsoft.Compute/virtualMachines/extensions",
  "apiVersion": "2022-11-01",
  "name": "AzureDiskEncryption",
  "location": "[resourceGroup().location]",
  "properties": {
    "publisher": "Microsoft.Azure.Security",
    "type": "AzureDiskEncryption",
    "typeHandlerVersion": "2.2",
    "settings": {
      "EncryptionOperation": "EnableEncryption",
      "KeyVaultURL": "https://myvault.vault.azure.net/",
      "KeyVaultResourceId": "[resourceId('Microsoft.KeyVault/vaults', 'myvault')]",
      "KeyEncryptionKeyURL": "https://myvault.vault.azure.net/keys/mykey/1234567890"
    }
  }
}

---

13. Azure AD Login for Windows

{
  "type": "Microsoft.Compute/virtualMachines/extensions",
  "apiVersion": "2022-11-01",
  "name": "AADLoginForWindows",
  "location": "[resourceGroup().location]",
  "properties": {
    "publisher": "Microsoft.Azure.ActiveDirectory",
    "type": "AADLoginForWindows",
    "typeHandlerVersion": "1.0"
  }
}

---

14. Just-In-Time Access

{
  "type": "Microsoft.Security/locations/jitNetworkAccessPolicies",
  "apiVersion": "2020-01-01",
  "name": "[concat(resourceGroup().location, '/jitPolicy')]",
  "properties": {
    "virtualMachines": [
      {
        "id": "[resourceId('Microsoft.Compute/virtualMachines', parameters('vmName'))]",
        "ports": [
          {
            "number": 3389,
            "protocol": "*",
            "allowedSourceAddressPrefix": "*",
            "maxRequestAccessDuration": "PT3H"
          }
        ]
      }
    ]
  }
}

---

15. Defender for Cloud

{
  "type": "Microsoft.Security/pricings",
  "apiVersion": "2023-01-01",
  "name": "VirtualMachines",
  "properties": {
    "pricingTier": "Standard"
  }
}

---

16. Load Balancer Integration

"loadBalancerBackendAddressPools": [
  {
    "id": "[resourceId('Microsoft.Network/loadBalancers/backendAddressPools', 'vm-lb', 'BackendPool')]"
  }
]

---

17. Private Endpoint

{
  "type": "Microsoft.Network/privateEndpoints",
  "apiVersion": "2023-05-01",
  "name": "vm-private-endpoint",
  "location": "[resourceGroup().location]",
  "properties": {
    "subnet": {
      "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', 'vnet', 'private')]"
    },
    "privateLinkServiceConnections": [
      {
        "name": "vm-connection",
        "properties": {
          "privateLinkServiceId": "[resourceId('Microsoft.Compute/virtualMachines', parameters('vmName'))]",
          "groupIds": [ "nic" ]
        }
      }
    ]
  }
}

---

18. Auto-Shutdown

{
  "type": "Microsoft.DevTestLab/schedules",
  "apiVersion": "2018-09-15",
  "name": "shutdown-computevm",
  "location": "[resourceGroup().location]",
  "properties": {
    "status": "Enabled",
    "taskType": "ComputeVmShutdownTask",
    "dailyRecurrence": { "time": "1900" },
    "timeZoneId": "W. Europe Standard Time",
    "targetResourceId": "[resourceId('Microsoft.Compute/virtualMachines', parameters('vmName'))]"
  }
}

---

19. Spot VM

"priority": "Spot",
"evictionPolicy": "Deallocate",
"billingProfile": {
  "maxPrice": -1
}

---

20. Azure Hybrid Benefit

"licenseType": "Windows_Server"

---

21. Dedicated Host

"host": {
  "id": "[resourceId('Microsoft.Compute/hosts', 'myHostGroup', 'myHost')]"
}

---

22. Backup

{
  "type": "Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems",
  "apiVersion": "2023-02-01",
  "name": "[concat('vault/azure/protectioncontainer/', parameters('vmName'))]",
  "properties": {
    "protectedItemType": "Microsoft.Compute/virtualMachines",
    "policyId": "[resourceId('Microsoft.RecoveryServices/vaults/backupPolicies', 'vault', 'DefaultPolicy')]"
  }
}

---

23. Update Management

{
  "type": "Microsoft.Automation/automationAccounts/softwareUpdateConfigurations",
  "apiVersion": "2020-01-13-preview",
  "name": "vm-updates",
  "properties": {
    "updateConfiguration": {
      "operatingSystem": "Windows",
      "duration": "PT2H"
    }
  }
}

---

24. Azure Compute Gallery

"imageReference": {
  "id": "[resourceId('Microsoft.Compute/galleries/images/versions', 'myGallery', 'myImage', '1.0.0')]"
}

---

25. VM Scale Sets (VMSS)

{
  "type": "Microsoft.Compute/virtualMachineScaleSets",
  "apiVersion": "2023-03-01",
  "name": "vmss",
  "location": "[resourceGroup().location]",
  "sku": {
    "name": "D4s_v5",
    "capacity": 2
  }
}

---

26. WinRM Configuration

"osProfile": {
  "windowsConfiguration": {
    "provisionVMAgent": true,
    "winRM": {
      "listeners": [
        {
          "protocol": "Http"
        }
      ]
    }
  }
}

---

27. Guest Configuration Policies

{
  "type": "Microsoft.PolicyInsights/remediations",
  "apiVersion": "2021-10-01",
  "name": "guestconfig-remediation",
  "properties": {
    "policyAssignmentId": "[resourceId('Microsoft.Authorization/policyAssignments', 'guestConfigAssignment')]"
  }
}

---

28. Trusted Launch (Secure Boot, vTPM, Integrity Monitoring)

Trusted Launch protects against firmware-level attacks and rootkits.

Enable Trusted Launch

"securityProfile": {
  "securityType": "TrustedLaunch",
  "uefiSettings": {
    "secureBootEnabled": true,
    "vTpmEnabled": true
  }
}

Enable Integrity Monitoring

{
  "type": "Microsoft.Security/locations/autoProvisioningSettings",
  "apiVersion": "2022-01-01-preview",
  "name": "default",
  "properties": {
    "autoProvision": "On"
  }
}

---

29. Confidential Computing (AMD SEV‑SNP / Intel TDX)

Enable Confidential VM Mode

"securityProfile": {
  "securityType": "ConfidentialVM",
  "uefiSettings": {
    "secureBootEnabled": true,
    "vTpmEnabled": true
  }
}

Confidential Disk Encryption

"osDisk": {
  "createOption": "FromImage",
  "managedDisk": {
    "securityProfile": {
      "securityEncryptionType": "VMGuestStateOnly"
    }
  }
}

---

30. Additional Security Hardening Settings

Patch Orchestration

"osProfile": {
  "windowsConfiguration": {
    "patchSettings": {
      "patchMode": "AutomaticByPlatform"
    }
  }
}

Host Firewall Enforcement

{
  "type": "Microsoft.Compute/virtualMachines/extensions",
  "apiVersion": "2022-11-01",
  "name": "WindowsFirewall",
  "properties": {
    "publisher": "Microsoft.Compute",
    "type": "CustomScriptExtension",
    "typeHandlerVersion": "1.10",
    "settings": {
      "commandToExecute": "powershell.exe -Command \"Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True\""
    }
  }
}

---

31. Resource Locks (CanNotDelete & ReadOnly)

Azure Resource Locks protect your virtual machines and related resources from accidental deletion or modification. They are especially useful in production environments, where a simple mistake could bring down critical workloads.
Azure supports two lock types CanNotDelete and ReadOnly

Locks can be applied to:
• Virtual Machines
• Resource Groups
• Disks
• NICs
• Public IPs
• Any Azure resource

Add a CanNotDelete Lock to a VM

{
“type”: “Microsoft.Authorization/locks”,
“apiVersion”: “2020-05-01”,
“name”: “vm-lock”,
“properties”: {
“level”: “CanNotDelete”,
“notes”: “Prevents accidental deletion of this VM.”
}
}

Add a Lock to a Disk (recommended for production)

{
“type”: “Microsoft.Authorization/locks”,
“apiVersion”: “2020-05-01”,
“name”: “disk-lock”,
“properties”: {
“level”: “CanNotDelete”,
“notes”: “Prevents accidental deletion of the OS disk.”
},
“scope”: “[resourceId(‘Microsoft.Compute/disks’, concat(parameters(‘vmName’), ‘-osdisk’))]”
}

Final Thoughts

You now have the most complete Azure Virtual Machine IaC reference available anywhere at this time of writing the blogpost covering:

Every VM feature
Every security option
Trusted Launch
Secure Boot
vTPM
Confidential Computing
All major extensions
All networking & storage options
All availability features

Here you find more information on Microsoft docs with examples

Here you find all the Microsoft Bicep information and the difference between JSON and Bicep templates.

Here you find Microsoft Azure Virtual Machine Baseline Architecture

---

Are all the JSON examples fully functional and tested in Azure?

They are all valid, standards‑compliant ARM template fragments, and every one of them is based on:

• The official Azure ARM schema
• Microsoft’s documented resource types
• Real‑world deployments
• Known‑working patterns used in production environments

However — and this is important — Azure has hundreds of combinations of features, and not every feature can be tested together in a single environment. So here’s the breakdown:

---

Fully functional & deployable as‑is

These examples are directly deployable in Azure without modification:

• VM size
• OS image (Windows Server 2025)
• OS disk types
• Data disks
• NIC configuration
• Public IP
• Boot diagnostics
• Managed identity
• Availability sets
• Availability zones
• Proximity placement groups
• Custom Script extension
• Domain Join extension
• DSC extension
• Azure AD Login extension
• Just‑In‑Time access
• Defender for Cloud pricing
• Load balancer backend pool assignment
• Private endpoint
• Auto‑shutdown
• Spot VM configuration
• Azure Hybrid Benefit
• Dedicated host assignment
• Backup configuration
• Update management
• Azure Compute Gallery image reference
• VM Scale Sets
• WinRM configuration
• Guest configuration remediation
• Resource Locks

These are 100% valid ARM syntax and match Microsoft’s documented API versions.

---

Fully valid, but require environment‑specific resources

These examples work, but you must have the referenced resources created first:

Disk Encryption Set (CMK)

"diskEncryptionSet": {
  "id": "[resourceId('Microsoft.Compute/diskEncryptionSets', 'myDiskEncSet')]"
}

Requires a Disk Encryption Set + Key Vault.

Backup

Requires a Recovery Services Vault + Backup Policy.

Domain Join

Requires a reachable domain controller + correct credentials.

Private Endpoint

Requires a Private Link Service target.

Update Management

Requires an Automation Account.

These are still fully functional, but they depend on your environment.

---

Trusted Launch & Confidential Computing

These are valid ARM configurations, but:

• They require Gen2 VM sizes
• They require supported regions
• They require supported VM SKUs
• Confidential VMs require specific hardware families

The JSON is correct, but Azure enforces compatibility rules.

For example:

"securityProfile": {
  "securityType": "TrustedLaunch",
  "uefiSettings": {
    "secureBootEnabled": true,
    "vTpmEnabled": true
  }
}

This works only on Gen2 VMs.

And:

"securityType": "ConfidentialVM"

Works only on:

• DCasv5
• ECasv5
• DCesv5
• ECesv5

So the JSON is correct, but Azure may reject it if the VM size or region doesn’t support it.

---

Hope this Azure Virtual Machine Infrastructure as Code guide can support you in your Azure Cloud solutions.

All the Microsoft Azure Virtual Machine features and options today.

Windows Admin Center Secured-core server view

The latest Windows Admin Center (WAC) release, version 2511 (November 2025, public preview), introduces refreshed management tools and deeper integration with modern Windows security features like Secure Boot, TPM 2.0, Kernel DMA Protection, Virtualization‑based Security (VBS), and OSConfig baselines for Windows Server.

Secured-core is a collection of capabilities that offers built-in hardware, firmware, driver and operating system security features. The protection provided by Secured-core systems begins before the operating system boots and continues whilst running. Secured-core server is designed to deliver a secure platform for critical data and applications.

Secured-core server is built on three key security pillars:

• Creating a hardware backed root of trust.
• Defense against firmware level attacks.
• Protecting the OS from the execution of unverified code.

Windows Admin Center 2511: Security Meets Modern Management

Windows Admin Center has steadily evolved into the preferred management platform for Windows Server and hybrid environments. With the 2511 build now in public preview, Microsoft continues to refine the experience for IT administrators, blending usability improvements with defense‑in‑depth security Microsoft Community.

 Security Features at the Core

What makes this release stand out is how WAC aligns with the latest Windows security stack. Let’s break down the highlights:

• OSConfig Security Baselines
  WAC now integrates baseline enforcement, ensuring servers adhere to CIS Benchmarks and DISA STIGs. Drift control automatically remediates deviations, keeping configurations locked to secure defaults. ( I like this one!)
• Hardware‑based Root of Trust
  Through TPM 2.0 and System Guard, WAC can validate boot integrity. This means admins can remotely attest that servers started securely, free from tampering.
• Kernel DMA Protection
  Thunderbolt and USB4 devices are notorious vectors for DMA attacks. WAC surfaces configuration and compliance checks, ensuring IOMMU‑based protection is active.
• Secure Boot Management
  OEM Secure Boot policies are visible and manageable, giving admins confidence that only signed, trusted firmware and drivers load during startup.
• Virtualization‑based Security (VBS)
  WAC exposes controls for enabling VBS and Memory Integrity (HVCI). These features isolate sensitive processes in a hypervisor‑protected environment, blocking unsigned drivers and kernel exploits.

Windows Server security baseline not yet implemented as you can see

 What’s New in Build 2511

Beyond security, version 2511 delivers refinements to the virtual machines tool, installer improvements, and bug fixes. Combined with the backend upgrade to .NET 8 in the earlier 2410 GA release, WAC is faster, more reliable, and better equipped for enterprise workloads.

Why It Matters

In today’s hybrid IT landscape, security and manageability must coexist. Windows Admin Center 2511 demonstrates Microsoft’s commitment to:

• Unified management: One pane of glass for servers, clusters, and Azure Arc‑connected resources.
• Compliance assurance: Built‑in baselines reduce audit headaches.
• Future‑proof security: Hardware‑rooted trust and virtualization‑based isolation protect against evolving threats.

Final Thoughts

If you’re an IT admin preparing for Windows Server 2025 deployments, the new Windows Admin Center build is more than just a management tool—it’s a security enabler. By weaving in Secure Boot, TPM, DMA protection, and VBS, WAC ensures that your infrastructure isn’t just easier to manage, but fundamentally harder to compromise.

Here you find the Microsoft docs :

What is Secured-core server for Windows Server | Microsoft Learn

OSConfig overview for Windows Server | Microsoft Learn

How System Guard helps protect Windows | Microsoft Learn

Kernel DMA Protection | Microsoft Learn

Secure boot | Microsoft Learn

Trusted Plaform Module (TPM) 2.0 | Microsoft Learn

Virtualization-based Security (VBS) | Microsoft Learn

Enable memory integrity | Microsoft Learn

What is Windows Admin Center Virtualization Mode (Preview)?

Windows Admin Center Virtualization Mode is a purpose-built management experience for virtualization infrastructure. It enables IT professionals to centrally administer Hyper-V hosts, clusters, storage, and networking at scale.

Unlike administration mode, which focuses on general system management, Virtualization Mode focuses on fabric management. It supports parallel operations and contextual views for compute, storage, and network resources. This mode is optimized for large-scale, cluster-based environments and integrates lifecycle management, global search, and role-based access control.

Virtualization Mode offers the following key capabilities:

• Search across navigation objects with contextual filtering.
• Support for SAN, NAS, hyperconverged, and scale-out file server architectures.
• VM templates, integrated disaster recovery with Hyper-V Replica, and onboarding of Arc-enabled resources (future capability).
• Software-defined storage and networking (not available at this time).

Install Windows Admin Center Virtualization Mode

Test all these New features of Windows Admin Center and Windows Server in your test environment and be ready for production when it becomes general available. Download Windows Admin Center 2511 Preview here

As businesses race toward cloud-native infrastructure and microservices, Windows Server 2025 Core emerges as a lean, powerful platform for hosting Docker containers. With its minimal footprint and robust security posture, Server Core paired with Docker offers a compelling solution for modern application deployment.

Architecture Design: Windows Server Core + Docker

Windows Server 2025 Core is a headless, GUI-less version of Windows Server designed for performance and security. When used as a Docker container host, it provides:

• Lightweight OS footprint: Reduces attack surface and resource consumption.
• Hyper-V isolation: Enables secure container execution with kernel-level separation.
• Support for Nano Server and Server Core images: Ideal for running Windows-based microservices.
• Integration with Azure Kubernetes Service (AKS): Seamless orchestration in hybrid environments.

Key Components

Component	Role in Architecture
Windows Server 2025 Core	Host OS with minimal services
Docker Engine	Container runtime for managing containers
Hyper-V	Optional isolation layer for enhanced security
PowerShell / CLI Tools	Management and automation
Windows Admin Center	GUI-based remote management

Installation Guide

Setting up Docker on Windows Server 2025 Core is straightforward but requires precision. Here’s a simplified walkthrough:

Windows Server 2025 Datacenter Core running

1. Install Required Features

Use PowerShell to install Hyper-V and Containers features:

Install-WindowsFeature -Name Hyper-V, Containers -IncludeManagementTools -Restart

2. Install Docker

Download and install Docker from the official source or use the PowerShell script provided by Microsoft:

Invoke-WebRequest “https://download.docker.com/win/static/stable/x86_64/docker-28.4.0.zip” -OutFile “docker.zip”

Unzip and configure Docker as a service:

at Docker directory to your path

Add the Docker config directory

Set the daemon

Create the Docker Service

net start docker

docker version

Docker Host on Windows Server 2025 Core is Installed

3. Configure Networking

Ensure proper NAT or transparent networking for container communication.

4. Pull Base Images

Use Docker CLI to pull Windows container images:

docker pull mcr.microsoft.com/windows/servercore:ltsc2025

5. Test Deployment

Run a sample Windows Server 2025 core container:

docker run -it mcr.microsoft.com/windows/servercore:ltsc2025

Inside the Windows Server 2025 Core Container on the Docker host.

Best Practices

To maximize reliability, security, and scalability:

• Use Hyper-V isolation for sensitive workloads.
• Automate deployments with PowerShell scripts or CI/CD pipelines.
• Keep base images updated to patch vulnerabilities.
• Monitor containers using Azure Arc monitoring or Windows Admin Center.
• Limit container privileges and avoid running as Administrator.
• Use volume mounts for persistent data storage.

Conclusion: Why It Matters

For developers, Windows Server 2025 Core with Docker offers:

• Fast iteration cycles with isolated environments.
• Consistent dev-to-prod workflows using container images.
• Improved security with minimal OS footprint and Hyper-V isolation.

For businesses, the benefits are even broader:

• Reduced infrastructure costs via efficient resource usage.
• Simplified legacy modernization by containerizing Windows apps.
• Hybrid cloud readiness with Azure integration and Kubernetes support.
• Scalable architecture for microservices and distributed systems.

Windows Server 2025 Core isn’t just a server OS—it’s a launchpad for modern, secure, and scalable containerized applications. Whether you’re a developer building the next big thing or a business optimizing legacy systems, this combo is worth the investment.

Integrating Azure Arc into the Windows Server 2025 Core + Docker Architecture for Adaptive Cloud

Overview

Microsoft Azure Arc extends Azure’s control plane to your on-premises Windows Server 2025 Core container hosts. By onboarding your Server Core machines as Azure Arc–enabled servers, you gain unified policy enforcement, monitoring, update management, and GitOps-driven configurations—all while keeping workloads close to the data and users.

Architecture Extension

• Azure Connected Machine Agent
  Installs on Windows Server 2025 Core as a Feature on Demand, creating an Azure resource that represents your physical or virtual machine in the Azure portal.
• Control Plane Integration
  Onboarded servers appear in Azure Resource Manager (ARM), letting you apply Azure Policy, role-based access control (RBAC), and tag-based cost tracking.
• Hybrid Monitoring & Telemetry
  Azure Monitor collects logs and metrics from Docker Engine, container workloads, and host-level performance counters—streamlined into your existing Log Analytics workspaces.
• Update Management & Hotpatching
  Leverage Azure Update Manager to schedule Windows and container image patches. Critical fixes can even be applied via hotpatching on Arc-enabled machines without a reboot.
• GitOps & Configuration as Code
  Use Azure Arc–enabled Kubernetes to deploy container workloads via Git repositories, or apply Desired State Configuration (DSC) policies to Server Core itself.

Adaptive Cloud Features Enabled

• Centralized Compliance
  Apply Azure Policies to enforce security baselines across every Docker host, ensuring drift-free configurations.
• Dynamic Scaling
  Trigger Azure Automation runbooks or Logic Apps when performance thresholds are breached, auto-provisioning new container hosts.
• Unified Security Posture
  Feed security alerts from Microsoft Defender for Cloud into Azure Sentinel, correlating threats across on-prem and cloud.
• Hybrid Kubernetes Orchestration
  Extend AKS clusters to run on Arc-connected servers, enabling consistent deployment pipelines whether containers live on Azure or in your datacenter.

More information about Innovate on an Adaptive Cloud here

Integration Walkthrough

1. Prepare your Server Core host (ensure Hyper-V, Containers, and Azure Arc Feature on Demand are installed).
2. Install Azure Arc agent via Azure PowerShell
3. In the Azure portal, navigate to Azure Arc > Servers, and verify your machine is onboarded.
4. Enable Azure Policy assignments, connect to a Log Analytics workspace, and turn on Update Management.
5. (Optional) Deploy the Azure Arc GitOps operator for containerized workloads across hybrid clusters.

Visualizing Azure Arc in Your Diagram

Above your existing isometric architecture, add a floating “Azure Cloud Control Plane” layer that includes:

• ARM with Policy assignments
• Azure Monitor / Log Analytics
• Update Manager + Hotpatch service
• GitOps repo integrations

Draw data and policy-enforcement arrows from this Azure layer down to your Windows Server Core “building,” Docker cube, container workloads, and Hyper-V racks—demonstrating end-to-end adaptive management.

Why It Matters

Integrating Azure Arc transforms your static container host into an adaptive cloud-ready node. You’ll achieve:

• Consistent governance across on-prem and cloud
• Automated maintenance with zero-downtime patching
• Policy-driven security at scale
• Simplified hybrid Kubernetes and container lifecycle management

With Azure Arc, your Windows Server 2025 Core and Docker container hosts become full citizens of the Azure ecosystem—securing, monitoring, and scaling your workloads wherever they run.

Better Together

 

Updating Windows Server Insider Preview Build to version 26461.1001

On August 7, 2025, Microsoft dropped a fresh Insider Preview build for Windows Server vNext—Build 26461—and it’s packed with innovations aimed at enterprise resilience, storage performance, and hybrid cloud readiness. Whether you’re a datacenter architect or a curious sysadmin, this build offers a glimpse into the future of Windows Server 2025.

Rack Level Nested Mirror (RLNM) for S2D Campus Cluster

One of the headline features is Rack Level Nested Mirror (RLNM) for Storage Spaces Direct (S2D) Campus Clusters. This enhancement is designed to meet NIS2 compliance for multi-room data redundancy in industrial environments.

Key capabilities:

• Enables fast and resilient storage across multiple racks or rooms.
• Supports all-flash storage (SSD/NVMe) with RDMA NICs (iWARP, RoCE, InfiniBand).
• Requires defining rack fault domains during cluster setup.
• Supports four-copy volumes with both fixed and thin provisioning.

This is a game-changer for factories and enterprises needing high availability across physical fault domains.

Under the Hood: Germanium Codebase

Build 26461 is based on the Germanium codebase, aligning with the broader Windows 11 ecosystem. It supports both AMD64 and ARM64 architectures and was compiled on July 31, 2025.

Final Thoughts

Windows Server vNext Build 26461 is more than just a preview—it’s a blueprint for the next generation of enterprise-grade infrastructure. With RLNM, expanded deployment options, and tighter integration with Azure, Microsoft is clearly doubling down on hybrid cloud and high-availability scenarios.

You can explore the full announcement on Microsoft’s Community Hub. Enjoy your testing

Windows Server 2025 Insider Preview Build 26433 Datacenter Edition

In a digital era where agility, security, and resilience define success, enterprises are constantly seeking ways to future-proof their IT infrastructure. Enter the Windows Server Insider Program — a gateway into the future of Windows Server, offering IT professionals and enterprise architects a unique head-start in shaping and testing tomorrow’s server technologies.

What Is the Windows Server Insider Program?

At its core, the Windows Server Insider Program is Microsoft’s early-access platform for organizations and individuals eager to test pre-release versions of Windows Server. It allows IT departments to explore upcoming features, evaluate improvements, and provide feedback well before general availability — all while aligning their roadmap with Microsoft’s evolving ecosystem.

Strategic Benefits for Enterprise Businesses

1. Early Access to Innovation

Being the first to test new builds offers a strategic advantage. Enterprises can evaluate enhancements such as improved virtualization support, deeper integration with Azure services, and security updates, giving them ample lead time to plan deployments and migrations.

2. Security Readiness

With constantly evolving cybersecurity threats, security must be proactive, not reactive. Insider builds often preview cutting-edge security features, like Just-in-Time administration and advanced auditing, enabling security teams to assess and incorporate them into enterprise policies early on.

3. Operational Efficiency through Feedback

Insiders are encouraged to report issues, suggest enhancements, and contribute to the design process. Enterprises that participate become co-creators in shaping Windows Server — turning feedback into business-aligned features that improve workflows and infrastructure performance.

4. Skills Development and Training

IT professionals gain first-hand experience with upcoming technologies, enhancing team expertise and preparing staff for smoother transitions during official releases. This becomes a valuable part of enterprise L&D strategies, minimizing learning curves and avoiding costly deployment surprises.

5. Better Long-Term Planning

Access to Insider builds allows enterprises to assess hardware compatibility, benchmark performance, and refine internal tools or scripts, reducing friction during upgrades or cloud migrations.

Real-World Scenario: Testing Hybrid Flexibility

Imagine an enterprise planning a hybrid infrastructure strategy using Azure Arc and on-prem Windows Server. By experimenting with preview builds, they can test hybrid management policies, refine group configurations, and validate security baselines — all without impacting production environments.

How to Get Started

Enrollment is straightforward. Enterprises can sign up using their Microsoft account and download the latest Insider builds from the Windows Server Insider Preview portal.

Final Thoughts

In enterprise tech, innovation waits for no one. The Windows Server Insider Program offers more than just access — it’s a strategic lever for proactive IT leadership. By embracing this program, organizations gain the insight, influence, and preparedness to lead in the evolving digital landscape.

If your enterprise hasn’t joined yet, now might be the best time to get ahead of the curve — because the future of infrastructure isn’t just about adopting change. It’s about helping build it.

 

Installing Docker on Windows Server 2025 Insider Preview Build 26080.1

During the Microsoft Windows Server Summit 2024 I got inspired to run a Windows Server 2025 Insider Preview Build and do something with Microsoft WinGet because this is now default installed on the latest Windows Server 2025 Insider Preview Build.

So with the following command, I installed Docker on the Window Server Insider Preview Build version 26080:

Invoke-WebRequest -UseBasicParsing “https://raw.githubusercontent.com/microsoft/Windows-Containers/Main/helpful_tools/Install-DockerCE/install-docker-ce.ps1” -o install-docker-ce.ps1
.\install-docker-ce.ps1

Docker running on Windows Server 2025 Insider Preview Build.

Here I’m pulling NanoServer Insider 26080 image.

With the following command:

docker pull mcr.microsoft.com/windows/nanoserver/insider:10.0.26080.1

the NanoServer Insider container image is in the repository.

So now is Microsoft Windows Package Manager (WinGet) tool handy on this Windows Server Insider Build, because I like to have Microsoft Visual Studio Code Installed to play with Windows Nano Server Insider Container.

First I did a Winget upgrade –all

with Winget search vscode you get the list
To install Visual Studio Code with Winget:
winget install Microsoft.VisualStudioCode

Visual Studio Code is installing.

Visual Studio Code is Installed.

I installed the Docker extension in VSCode.

Microsoft Windows Nano Server Insider Image version 26080 in VSCode.

Running Nano Server Insider Container on Windows Server 2025 Insider Preview Build.

On the Container host is a virtual Nat adapter 172.24.16.1 for
the containers the gateway.

Important:

This is not for production environment but for testing and learning only with new Microsoft technologies.

More information about running Containers on Windows Servers

Become Microsoft Windows Server Insider

Don’t miss this Awesome Microsoft Windows Server Summit 2024 virtual event to get the latest and Greatest information powered by the Engineering team!

When: March 26-28, 2024. Mark your Calendar

Topic wise: it will be wide ranging covering all the new goodness of Windows Server 2025, on-prem and Hybrid scenarios, Azure Arc, Identity, Virtualization, SMB updates and more! 
Here you can find more information: Windows Server Summit 2024

Get started Today with Windows Server 2025 Insider Preview Build in your test environment!