During this year’s Microsoft Ignite conference, there was a presentation on the new and coming Active Directory and Certificate Services features included with Windows Server 2025. While Windows Server 2019 did not include new domain or forest functional levels, there are several changes and updates with the new 2025 version.
First, they are making major investments in both the security, cloud, and supportability pillars. Some of the updates since this version was announced at Ignite 2024 is an expansion of LDAP discoverable events, better auditing of NTLM events (identifying legacy usage and warnings about NTLMv1), expanded Fixup Object State to include objects with no SAM account, and a way to check and fix DN references.
Newly announced changes to the Certificate Services during this year’s Ignite conference includes features like CRL partitioning to improve certificate validation time. There will now also be support for templates with two or more URL’s and decoupling of refresh tokens from SSO cookies. They have also added pre-sign linting for both standalone and enterprise CA for better workflow automation. Coming in 2026 will be post-quantum cryptography. There will also be enhancements to auditing of CA request like mismatched requester vs subject, unexpected OS version or authentication, and a surge in denied request.
Features coming in 2026 for Active Directory include improvements around forest recovery during “cyber security events”, support for better integration into Defender features, hybrid security support and other OS security features. There will also be expanded auditing of security and events. as well as improvements in Delegated Managed Service Accounts (DMSA). There is also going to be expanded support for various authentication methods for using products like third party MFA solutions.
As part of tightening up Certificate and Active Directory security, there continues to be work on hardening the overall 2025 operating system. Many ports and services that are not needed will be off by default, UAC and ACL’s will be hardened, and the disabling of audit logs will not be allowed. There is going to be greater enforcement of unsigned drivers and protections to prevent the tampering of Defender’s functionality. There are also protections coming to prevent credential theft called “Protect Process Light” that combines LSASS and PPL, even from scripts.
Overall, it seems a lot of work is going into the Windows Server operating system. Particularly, around security to better protect organizations from threat actors. I am looking forward to these new measure as I am sure others are as well.
Leave a Reply