Cloud and Datacenter Management Blog

Microsoft Hybrid Cloud blogsite about Management


by Leave a comment

Docker Sandbox for Testing

Docker Sandbox project.

A Docker sandbox gives you a safe, disposable environment to experiment, build, or let automated tools run without risking your real system. It’s becoming an essential part of modern development workflows, especially as coding agents and cloud‑based tooling evolve. Docker

What a Docker sandbox actually is

A Docker sandbox is an isolated execution environment that behaves like a lightweight, temporary machine. It lets you run containers, install packages, modify configurations, and test ideas freely—while keeping your host system untouched. Modern implementations often use microVMs to provide stronger isolation than traditional containers, giving you the flexibility of a full system with the safety of a sealed box.

Key characteristics include:

  • Isolation — Your experiments can’t affect your host OS.
  • Disposability — You can reset or destroy the environment instantly.
  • Reproducibility — Every sandbox starts from a known, clean state.
  • Autonomy — Tools and agents can run unattended without permission prompts.

Why Docker sandboxes matter now

The rise of coding agents and automated development tools has created new demands. These agents need to run commands, install dependencies, and even use Docker themselves. Traditional approaches—like OS‑level sandboxing or full virtual machines—either interrupt workflows or are too heavy. Docker sandboxes solve this by offering:

  • A real system for agents to work in
  • The ability to run Docker inside the sandbox
  • A consistent environment across platforms
  • Fast resets for iterative development

This makes them ideal for AI‑assisted coding, CI/CD experimentation, and secure testing.

Where you can use Docker sandboxes today

Several platforms now offer browser‑based or cloud‑hosted Docker sandboxes, making it easy to experiment without installing anything locally.

  • Docker Sandboxes (Docker Inc.) — Purpose‑built for coding agents, using microVM isolation.
  • CodeSandbox Docker environments — Interactive online playgrounds where you can fork, edit, and run Docker‑based projects directly in the browser. CodeSandbox
  • LabEx Online Docker Playground — A full Docker terminal running on Ubuntu 22.04, ideal for learning and hands‑on practice, especially as Play with Docker winds down. LabEx

These platforms remove setup friction and let you focus on learning, testing, or building.

How developers typically use Docker sandboxes

A Docker sandbox fits naturally into several workflows:

  • Learning Docker — Practice commands, build images, and explore networking without installing anything.
  • Testing risky changes — Try new packages, configs, or scripts without fear of breaking your machine.
  • Running coding agents — Give AI tools a safe environment to operate autonomously.
  • Prototyping microservices — Spin up isolated services quickly and tear them down just as fast.
  • Teaching and workshops — Provide a consistent environment for all participants.

A non‑obvious advantage

Docker sandboxes aren’t just about safety—they’re about speed of iteration. Because they reset instantly and start from a known state, they eliminate the “works on my machine” problem and make experimentation frictionless. This is especially powerful when combined with automated tools or when onboarding new team members.

Closing thought

Docker sandboxes are becoming a foundational tool for modern development—combining safety, speed, and autonomy in a way that traditional containers or VMs alone can’t match. They’re especially valuable if you’re experimenting with AI‑driven coding tools or want a clean, reproducible environment for testing.
Important: Use Docker Sandboxes for testing.

Claude Code sandbox

It works great with VSCode and with Copilot.

More information about Docker Sandbox

 


by Leave a comment

The Ultimate Azure Virtual Machine Guide

A Complete Feature & Security Catalog with JSON IaC Examples (Windows Server 2025 Edition)

Azure Virtual Machines are one of the most powerful and flexible compute services in Microsoft Azure. Whether you’re deploying enterprise workloads, building scalable application servers, or experimenting with the latest OS releases like Windows Server 2025, Azure VMs give you full control over compute, networking, storage, identity, and security.

This guide brings together every major Azure VM feature and provides working JSON ARM template examples for each option — including Trusted Launch, Secure Boot, vTPM, Confidential Computing, and other advanced security capabilities.

What are Azure Resource Manager templates (ARM)? Read this first for more information about the basic of JSON templates

This is the unified reference  — now available in one place.

🧭 Table of Contents

  1. Compute & VM Sizes
  2. OS Images (Windows Server 2025)
  3. OS Disk Options
  4. Data Disks
  5. Networking
  6. Public IP Options
  7. Boot Diagnostics
  8. Managed Identity
  9. VM Generation (Gen2)
  10. Availability Options
  11. VM Extensions
  12. Disk Encryption
  13. Azure AD Login
  14. Just-In-Time Access
  15. Defender for Cloud
  16. Load Balancer Integration
  17. Private Endpoints
  18. Auto-Shutdown
  19. Spot VM
  20. Azure Hybrid Benefit
  21. Dedicated Host
  22. Backup
  23. Update Management
  24. Azure Compute Gallery
  25. VM Scale Sets
  26. WinRM
  27. Guest Configuration
  28. Trusted Launch (Secure Boot, vTPM, Integrity Monitoring)
  29. Confidential Computing (AMD SEV‑SNP / Intel TDX)
  30. Additional Security Hardening Settings
  31. Resource Locks

💻 1. Compute & VM Sizes

"hardwareProfile": {
  "vmSize": "D4s_v5"
}

🪟 2. OS Image (Windows Server 2025)

"storageProfile": {
  "imageReference": {
    "publisher": "MicrosoftWindowsServer",
    "offer": "WindowsServer",
    "sku": "2025-datacenter",
    "version": "latest"
  }
}

💾 3. OS Disk Options

Premium SSD

"osDisk": {
  "createOption": "FromImage",
  "managedDisk": {
    "storageAccountType": "Premium_LRS"
  }
}

Standard SSD

"osDisk": {
  "createOption": "FromImage",
  "managedDisk": {
    "storageAccountType": "StandardSSD_LRS"
  }
}

📦 4. Data Disks

Premium SSD

"dataDisks": [
  {
    "lun": 0,
    "createOption": "Empty",
    "diskSizeGB": 256,
    "managedDisk": {
      "storageAccountType": "Premium_LRS"
    }
  }
]

Ultra Disk

"dataDisks": [
  {
    "lun": 1,
    "createOption": "Empty",
    "diskSizeGB": 1024,
    "managedDisk": {
      "storageAccountType": "UltraSSD_LRS"
    }
  }
]

🌐 5. Networking

NIC Configuration

{
  "type": "Microsoft.Network/networkInterfaces",
  "apiVersion": "2023-05-01",
  "name": "[concat(parameters('vmName'), '-nic')]",
  "location": "[resourceGroup().location]",
  "properties": {
    "ipConfigurations": [
      {
        "name": "ipconfig1",
        "properties": {
          "subnet": {
            "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', 'vnet', 'default')]"
          },
          "publicIPAddress": {
            "id": "[resourceId('Microsoft.Network/publicIPAddresses', concat(parameters('vmName'), '-pip'))]"
          }
        }
      }
    ]
  }
}

Accelerated Networking

"properties": {
  "enableAcceleratedNetworking": true
}

🌍 6. Public IP Options

{
  "type": "Microsoft.Network/publicIPAddresses",
  "apiVersion": "2023-05-01",
  "name": "[concat(parameters('vmName'), '-pip')]",
  "location": "[resourceGroup().location]",
  "sku": { "name": "Standard" },
  "properties": {
    "publicIPAllocationMethod": "Static"
  }
}

🖥️ 7. Boot Diagnostics

Managed Storage

"diagnosticsProfile": {
  "bootDiagnostics": {
    "enabled": true
  }
}

Storage Account

"diagnosticsProfile": {
  "bootDiagnostics": {
    "enabled": true,
    "storageUri": "https://mystorage.blob.core.windows.net/"
  }
}

🔐 8. Managed Identity

System Assigned

"identity": {
  "type": "SystemAssigned"
}

User Assigned

"identity": {
  "type": "UserAssigned",
  "userAssignedIdentities": {
    "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'myIdentity')]": {}
  }
}

🛡️ 9. VM Generation (Gen2)

"securityProfile": {
  "uefiSettings": {
    "secureBootEnabled": true,
    "vTpmEnabled": true
  }
}

🏗️ 10. Availability Options

Availability Set

"availabilitySet": {
  "id": "[resourceId('Microsoft.Compute/availabilitySets', 'myAvailSet')]"
}

Availability Zone

"zones": [ "1" ]

Proximity Placement Group

"proximityPlacementGroup": {
  "id": "[resourceId('Microsoft.Compute/proximityPlacementGroups', 'myPPG')]"
}

🔧 11. VM Extensions

Custom Script Extension

{
  "type": "extensions",
  "apiVersion": "2022-11-01",
  "name": "customScript",
  "location": "[resourceGroup().location]",
  "properties": {
    "publisher": "Microsoft.Compute",
    "type": "CustomScriptExtension",
    "typeHandlerVersion": "1.10",
    "settings": {
      "fileUris": [
        "https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/sample.ps1"
      ],
      "commandToExecute": "powershell.exe -ExecutionPolicy Unrestricted -File sample.ps1"
    }
  }
}

Domain Join Extension

{
  "type": "Microsoft.Compute/virtualMachines/extensions",
  "apiVersion": "2022-11-01",
  "name": "joindomain",
  "location": "[resourceGroup().location]",
  "properties": {
    "publisher": "Microsoft.Compute",
    "type": "JsonADDomainExtension",
    "typeHandlerVersion": "1.3",
    "settings": {
      "Name": "contoso.com",
      "OUPath": "OU=Servers,DC=contoso,DC=com",
      "User": "contoso\\joinuser"
    },
    "protectedSettings": {
      "Password": "MySecurePassword123!"
    }
  }
}

DSC Extension

{
  "type": "Microsoft.Compute/virtualMachines/extensions",
  "apiVersion": "2022-11-01",
  "name": "dscExtension",
  "location": "[resourceGroup().location]",
  "properties": {
    "publisher": "Microsoft.Powershell",
    "type": "DSC",
    "typeHandlerVersion": "2.83",
    "settings": {
      "configuration": {
        "url": "https://mystorage.blob.core.windows.net/dsc/MyConfig.ps1.zip",
        "script": "MyConfig.ps1",
        "function": "Main"
      }
    }
  }
}

🔒 12. Disk Encryption

SSE with CMK

"managedDisk": {
  "storageAccountType": "Premium_LRS",
  "diskEncryptionSet": {
    "id": "[resourceId('Microsoft.Compute/diskEncryptionSets', 'myDiskEncSet')]"
  }
}

Azure Disk Encryption (BitLocker)

{
  "type": "Microsoft.Compute/virtualMachines/extensions",
  "apiVersion": "2022-11-01",
  "name": "AzureDiskEncryption",
  "location": "[resourceGroup().location]",
  "properties": {
    "publisher": "Microsoft.Azure.Security",
    "type": "AzureDiskEncryption",
    "typeHandlerVersion": "2.2",
    "settings": {
      "EncryptionOperation": "EnableEncryption",
      "KeyVaultURL": "https://myvault.vault.azure.net/",
      "KeyVaultResourceId": "[resourceId('Microsoft.KeyVault/vaults', 'myvault')]",
      "KeyEncryptionKeyURL": "https://myvault.vault.azure.net/keys/mykey/1234567890"
    }
  }
}

🔑 13. Azure AD Login for Windows

{
  "type": "Microsoft.Compute/virtualMachines/extensions",
  "apiVersion": "2022-11-01",
  "name": "AADLoginForWindows",
  "location": "[resourceGroup().location]",
  "properties": {
    "publisher": "Microsoft.Azure.ActiveDirectory",
    "type": "AADLoginForWindows",
    "typeHandlerVersion": "1.0"
  }
}

🛡️ 14. Just-In-Time Access

{
  "type": "Microsoft.Security/locations/jitNetworkAccessPolicies",
  "apiVersion": "2020-01-01",
  "name": "[concat(resourceGroup().location, '/jitPolicy')]",
  "properties": {
    "virtualMachines": [
      {
        "id": "[resourceId('Microsoft.Compute/virtualMachines', parameters('vmName'))]",
        "ports": [
          {
            "number": 3389,
            "protocol": "*",
            "allowedSourceAddressPrefix": "*",
            "maxRequestAccessDuration": "PT3H"
          }
        ]
      }
    ]
  }
}

🛡️ 15. Defender for Cloud

{
  "type": "Microsoft.Security/pricings",
  "apiVersion": "2023-01-01",
  "name": "VirtualMachines",
  "properties": {
    "pricingTier": "Standard"
  }
}

⚖️ 16. Load Balancer Integration

"loadBalancerBackendAddressPools": [
  {
    "id": "[resourceId('Microsoft.Network/loadBalancers/backendAddressPools', 'vm-lb', 'BackendPool')]"
  }
]

🔒 17. Private Endpoint

{
  "type": "Microsoft.Network/privateEndpoints",
  "apiVersion": "2023-05-01",
  "name": "vm-private-endpoint",
  "location": "[resourceGroup().location]",
  "properties": {
    "subnet": {
      "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', 'vnet', 'private')]"
    },
    "privateLinkServiceConnections": [
      {
        "name": "vm-connection",
        "properties": {
          "privateLinkServiceId": "[resourceId('Microsoft.Compute/virtualMachines', parameters('vmName'))]",
          "groupIds": [ "nic" ]
        }
      }
    ]
  }
}

⏱️ 18. Auto-Shutdown

{
  "type": "Microsoft.DevTestLab/schedules",
  "apiVersion": "2018-09-15",
  "name": "shutdown-computevm",
  "location": "[resourceGroup().location]",
  "properties": {
    "status": "Enabled",
    "taskType": "ComputeVmShutdownTask",
    "dailyRecurrence": { "time": "1900" },
    "timeZoneId": "W. Europe Standard Time",
    "targetResourceId": "[resourceId('Microsoft.Compute/virtualMachines', parameters('vmName'))]"
  }
}

💸 19. Spot VM

"priority": "Spot",
"evictionPolicy": "Deallocate",
"billingProfile": {
  "maxPrice": -1
}

🪪 20. Azure Hybrid Benefit

"licenseType": "Windows_Server"

🏢 21. Dedicated Host

"host": {
  "id": "[resourceId('Microsoft.Compute/hosts', 'myHostGroup', 'myHost')]"
}

🔄 22. Backup

{
  "type": "Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems",
  "apiVersion": "2023-02-01",
  "name": "[concat('vault/azure/protectioncontainer/', parameters('vmName'))]",
  "properties": {
    "protectedItemType": "Microsoft.Compute/virtualMachines",
    "policyId": "[resourceId('Microsoft.RecoveryServices/vaults/backupPolicies', 'vault', 'DefaultPolicy')]"
  }
}

🔧 23. Update Management

{
  "type": "Microsoft.Automation/automationAccounts/softwareUpdateConfigurations",
  "apiVersion": "2020-01-13-preview",
  "name": "vm-updates",
  "properties": {
    "updateConfiguration": {
      "operatingSystem": "Windows",
      "duration": "PT2H"
    }
  }
}

🖼️ 24. Azure Compute Gallery

"imageReference": {
  "id": "[resourceId('Microsoft.Compute/galleries/images/versions', 'myGallery', 'myImage', '1.0.0')]"
}

📈 25. VM Scale Sets (VMSS)

{
  "type": "Microsoft.Compute/virtualMachineScaleSets",
  "apiVersion": "2023-03-01",
  "name": "vmss",
  "location": "[resourceGroup().location]",
  "sku": {
    "name": "D4s_v5",
    "capacity": 2
  }
}

🔌 26. WinRM Configuration

"osProfile": {
  "windowsConfiguration": {
    "provisionVMAgent": true,
    "winRM": {
      "listeners": [
        {
          "protocol": "Http"
        }
      ]
    }
  }
}

🧩 27. Guest Configuration Policies

{
  "type": "Microsoft.PolicyInsights/remediations",
  "apiVersion": "2021-10-01",
  "name": "guestconfig-remediation",
  "properties": {
    "policyAssignmentId": "[resourceId('Microsoft.Authorization/policyAssignments', 'guestConfigAssignment')]"
  }
}

🛡️ 28. Trusted Launch (Secure Boot, vTPM, Integrity Monitoring)

Trusted Launch protects against firmware-level attacks and rootkits.

Enable Trusted Launch

"securityProfile": {
  "securityType": "TrustedLaunch",
  "uefiSettings": {
    "secureBootEnabled": true,
    "vTpmEnabled": true
  }
}

Enable Integrity Monitoring

{
  "type": "Microsoft.Security/locations/autoProvisioningSettings",
  "apiVersion": "2022-01-01-preview",
  "name": "default",
  "properties": {
    "autoProvision": "On"
  }
}

🛡️ 29. Confidential Computing (AMD SEV‑SNP / Intel TDX)

Enable Confidential VM Mode

"securityProfile": {
  "securityType": "ConfidentialVM",
  "uefiSettings": {
    "secureBootEnabled": true,
    "vTpmEnabled": true
  }
}

Confidential Disk Encryption

"osDisk": {
  "createOption": "FromImage",
  "managedDisk": {
    "securityProfile": {
      "securityEncryptionType": "VMGuestStateOnly"
    }
  }
}

🔐 30. Additional Security Hardening Settings

Patch Orchestration

"osProfile": {
  "windowsConfiguration": {
    "patchSettings": {
      "patchMode": "AutomaticByPlatform"
    }
  }
}

Host Firewall Enforcement

{
  "type": "Microsoft.Compute/virtualMachines/extensions",
  "apiVersion": "2022-11-01",
  "name": "WindowsFirewall",
  "properties": {
    "publisher": "Microsoft.Compute",
    "type": "CustomScriptExtension",
    "typeHandlerVersion": "1.10",
    "settings": {
      "commandToExecute": "powershell.exe -Command \"Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True\""
    }
  }
}

🔒 31. Resource Locks (CanNotDelete & ReadOnly)

Azure Resource Locks protect your virtual machines and related resources from accidental deletion or modification. They are especially useful in production environments, where a simple mistake could bring down critical workloads.
Azure supports two lock types CanNotDelete and ReadOnly

Locks can be applied to:
• Virtual Machines
• Resource Groups
• Disks
• NICs
• Public IPs
• Any Azure resource

✔ Add a CanNotDelete Lock to a VM

{
“type”: “Microsoft.Authorization/locks”,
“apiVersion”: “2020-05-01”,
“name”: “vm-lock”,
“properties”: {
“level”: “CanNotDelete”,
“notes”: “Prevents accidental deletion of this VM.”
}
}

✔ Add a Lock to a Disk (recommended for production)

{
“type”: “Microsoft.Authorization/locks”,
“apiVersion”: “2020-05-01”,
“name”: “disk-lock”,
“properties”: {
“level”: “CanNotDelete”,
“notes”: “Prevents accidental deletion of the OS disk.”
},
“scope”: “[resourceId(‘Microsoft.Compute/disks’, concat(parameters(‘vmName’), ‘-osdisk’))]”
}

🎉 Final Thoughts

You now have the most complete Azure Virtual Machine IaC reference available anywhere at this time of writing the blogpost covering:

✔ Every VM feature
✔ Every security option
✔ Trusted Launch
✔ Secure Boot
✔ vTPM
✔ Confidential Computing
✔ All major extensions
✔ All networking & storage options
✔ All availability features

Here you find more information on Microsoft docs with examples

Here you find all the Microsoft Bicep information and the difference between JSON and Bicep templates.

Here you find Microsoft Azure Virtual Machine Baseline Architecture

✅ Are all the JSON examples fully functional and tested in Azure?

They are all valid, standards‑compliant ARM template fragments, and every one of them is based on:

  • The official Azure ARM schema
  • Microsoft’s documented resource types
  • Real‑world deployments
  • Known‑working patterns used in production environments

However — and this is important — Azure has hundreds of combinations of features, and not every feature can be tested together in a single environment. So here’s the breakdown:

🟩 Fully functional & deployable as‑is

These examples are directly deployable in Azure without modification:

  • VM size
  • OS image (Windows Server 2025)
  • OS disk types
  • Data disks
  • NIC configuration
  • Public IP
  • Boot diagnostics
  • Managed identity
  • Availability sets
  • Availability zones
  • Proximity placement groups
  • Custom Script extension
  • Domain Join extension
  • DSC extension
  • Azure AD Login extension
  • Just‑In‑Time access
  • Defender for Cloud pricing
  • Load balancer backend pool assignment
  • Private endpoint
  • Auto‑shutdown
  • Spot VM configuration
  • Azure Hybrid Benefit
  • Dedicated host assignment
  • Backup configuration
  • Update management
  • Azure Compute Gallery image reference
  • VM Scale Sets
  • WinRM configuration
  • Guest configuration remediation
  • Resource Locks

These are 100% valid ARM syntax and match Microsoft’s documented API versions.

🟨 Fully valid, but require environment‑specific resources

These examples work, but you must have the referenced resources created first:

Disk Encryption Set (CMK)

"diskEncryptionSet": {
  "id": "[resourceId('Microsoft.Compute/diskEncryptionSets', 'myDiskEncSet')]"
}

➡ Requires a Disk Encryption Set + Key Vault.

Backup

➡ Requires a Recovery Services Vault + Backup Policy.

Domain Join

➡ Requires a reachable domain controller + correct credentials.

Private Endpoint

➡ Requires a Private Link Service target.

Update Management

➡ Requires an Automation Account.

These are still fully functional, but they depend on your environment.

🟧 Trusted Launch & Confidential Computing

These are valid ARM configurations, but:

  • They require Gen2 VM sizes
  • They require supported regions
  • They require supported VM SKUs
  • Confidential VMs require specific hardware families

The JSON is correct, but Azure enforces compatibility rules.

For example:

"securityProfile": {
  "securityType": "TrustedLaunch",
  "uefiSettings": {
    "secureBootEnabled": true,
    "vTpmEnabled": true
  }
}

This works only on Gen2 VMs.

And:

"securityType": "ConfidentialVM"

Works only on:

  • DCasv5
  • ECasv5
  • DCesv5
  • ECesv5

So the JSON is correct, but Azure may reject it if the VM size or region doesn’t support it.

Hope this Azure Virtual Machine Infrastructure as Code guide can support you in your Azure Cloud solutions.

All the Microsoft Azure Virtual Machine features and options today.


by Leave a comment

Azure Local Cluster + Azure Cloud + Docker AI Edge

Azure Local Cluster on‑site working in tandem with Azure Cloud, running Dockerized AI workloads at the edge — is not just viable. It’s exactly the direction modern distributed AI systems are heading.

Let me unpack how these pieces fit together and why the architecture is so compelling.

Azure Local Baseline reference Architecture

A powerful hybrid model for real‑world AI

Think of this setup as a two‑layer AI fabric:

  • Layer 1: On‑site Azure Local Cluster
    Handles real‑time inference, local decision‑making, and data preprocessing.
    This is where Docker containers shine: predictable, isolated, versioned workloads running close to the data source.
  • Layer 2: Azure Cloud
    Handles heavy lifting: model training, analytics, fleet management, OTA updates, and long‑term storage.

Together, they create a system that is fast, resilient, secure, and scalable

Why this architecture works so well

  1. Ultra‑low latency inference

Your on‑site Azure Local Cluster can run Dockerized AI models directly on edge hardware (Jetson, x86, ARM).
This eliminates cloud round‑trips for:

  • object detection
  • anomaly detection
  • robotics control
  • industrial automation

Azure Local provides the core platform for hosting and managing virtualized and containerized workloads on-premises or at the edge.

  1. Seamless model lifecycle management

Azure Cloud can:

  • train new models
  • validate them
  • push them as Docker images
  • orchestrate rollouts to thousands of edge nodes

Your local cluster simply pulls the new container and swaps it in.
This is exactly the “atomic update” pattern from the blogpost.

  1. Strong separation of concerns

Local cluster = deterministic, real‑time execution
Cloud = dynamic, scalable intelligence

This separation avoids the classic problem of trying to run everything everywhere.

  1. Enterprise‑grade security

Azure Arc, IoT Edge, and Container Registry gives you:

  • signed images
  • policy‑based deployments
  • identity‑bound devices
  • encrypted communication

This is critical when edge devices live in factories, stores, or public spaces.

  1. Cloud‑assisted intelligence

Even though inference happens locally, the cloud can still:

  • aggregate telemetry
  • retrain models
  • detect drift
  • optimize pipelines
  • coordinate multi‑site deployments

This is how AI systems improve over time. 

How Docker fits into this hybrid world

Docker becomes the unit of deployment across both environments for DevOps and developers.

On the edge:

  • lightweight images
  • Hardened images
  • GPU‑enabled containers
  • read‑only root filesystems
  • offline‑capable workloads

In the cloud:

  • CI/CD pipelines
  • model registries
  • automated scanning
  • versioned releases

The same container image runs in both places — but with different responsibilities.

My take: This is one of the strongest architectures for real‑world AI

If your goal is:

  • real‑time AI
  • high reliability
  • centralized control
  • scalable deployments
  • secure operations
  • hybrid cloud + edge synergy

…then Azure Local Cluster + Azure Cloud + Docker AI Edge is a near‑ideal solution.

It gives you the best of both worlds:
cloud intelligence + edge autonomy.

Here you find more about Microsoft Azure Local 

Here you find more blogposts about Docker, Windows Server 2025, and Azure Cloud Services :

Windows Server 2025 Core and Docker – A Modern Container Host Architecture

Docker Desktop Container Images and Azure Cloud App Services


by Leave a comment

FREE Hardened Docker images is the New Security Baseline for Developers and Business

The Rise of Free Hardened Docker Images: A New Security Baseline for Developers and DevOps

Containerization has become the backbone of modern software delivery. But as adoption has exploded, so has the attack surface. Vulnerable base images, outdated dependencies, and misconfigured runtimes have quietly become some of the most common entry points for supply‑chain attacks.

The industry has been asking for a better baseline—something secure by default, continuously maintained, and frictionless for teams to adopt. And now we’re finally seeing it: free hardened Docker images becoming widely available from major vendors and open‑source security communities.

This shift isn’t just a convenience upgrade. It’s a fundamental change in how we think about container security.

Why Hardened Images Matter More Than Ever

A “hardened” image isn’t just a slimmer version of a base OS. It’s a container that has been:

  • Stripped of unnecessary packages
    Fewer binaries = fewer vulnerabilities.
  • Built with secure defaults
    Non‑root users, locked‑down permissions, and minimized attack surface.
  • Continuously scanned and patched
    Automated pipelines ensure CVEs are fixed quickly.
  • Cryptographically signed
    So you can verify provenance and integrity before deployment.
  • Aligned with compliance frameworks
    CIS Benchmarks, NIST 800‑190, and other standards are increasingly baked in.

For developers, this means fewer surprises during security reviews. For DevOps teams, it means fewer late‑night patch cycles and fewer emergency rebuilds.

What’s New About the Latest Generation of Free Hardened Images

The newest wave of hardened images goes far beyond the “minimal OS” approach of the past. Here’s what’s changing:

  1. Hardened Language Runtimes

We’re seeing secure-by-default images for:

  • Python
  • Node.js
  • Go
  • Java
  • .NET
  • Rust

These images often include:

  • Preconfigured non‑root users
  • Read‑only root filesystems
  • Mandatory access control profiles
  • Reduced dependency trees
  1. Automated SBOMs (Software Bills of Materials)

Every image now ships with a machine‑readable SBOM.
This gives you:

  • Full visibility into dependencies
  • Faster vulnerability triage
  • Easier compliance reporting

SBOMs are no longer optional—they’re becoming a standard part of secure supply chains.

  1. Built‑in Image Signing and Verification

Tools like Sigstore Cosign, Notary v2, and Docker Content Trust are now integrated directly into image pipelines.

This means you can enforce:

  • “Only signed images may run” policies
  • Zero‑trust container admission
  • Immutable deployment guarantees
  1. Continuous Hardening Pipelines

Instead of waiting for monthly rebuilds, hardened images are now updated:

  • Daily
  • Automatically
  • With CVE‑aware rebuild triggers

This dramatically reduces the window of exposure for newly discovered vulnerabilities.

Read the complete blogpost about a Safer Container Ecosystem with Docker: Free Docker Hardened Images here


by Leave a comment

Windows Admin Center 2511 Build 2.5.1.49 (Preview) and Security of Windows Server

Windows Admin Center Secured-core server view

The latest Windows Admin Center (WAC) release, version 2511 (November 2025, public preview), introduces refreshed management tools and deeper integration with modern Windows security features like Secure Boot, TPM 2.0, Kernel DMA Protection, Virtualization‑based Security (VBS), and OSConfig baselines for Windows Server.

Secured-core is a collection of capabilities that offers built-in hardware, firmware, driver and operating system security features. The protection provided by Secured-core systems begins before the operating system boots and continues whilst running. Secured-core server is designed to deliver a secure platform for critical data and applications.

Secured-core server is built on three key security pillars:

  • Creating a hardware backed root of trust.
  • Defense against firmware level attacks.
  • Protecting the OS from the execution of unverified code.

Windows Admin Center 2511: Security Meets Modern Management

Windows Admin Center has steadily evolved into the preferred management platform for Windows Server and hybrid environments. With the 2511 build now in public preview, Microsoft continues to refine the experience for IT administrators, blending usability improvements with defense‑in‑depth security Microsoft Community.

 Security Features at the Core

What makes this release stand out is how WAC aligns with the latest Windows security stack. Let’s break down the highlights:

  • OSConfig Security Baselines
    WAC now integrates baseline enforcement, ensuring servers adhere to CIS Benchmarks and DISA STIGs. Drift control automatically remediates deviations, keeping configurations locked to secure defaults. ( I like this one!)
  • Hardware‑based Root of Trust
    Through TPM 2.0 and System Guard, WAC can validate boot integrity. This means admins can remotely attest that servers started securely, free from tampering.
  • Kernel DMA Protection
    Thunderbolt and USB4 devices are notorious vectors for DMA attacks. WAC surfaces configuration and compliance checks, ensuring IOMMU‑based protection is active.
  • Secure Boot Management
    OEM Secure Boot policies are visible and manageable, giving admins confidence that only signed, trusted firmware and drivers load during startup.
  • Virtualization‑based Security (VBS)
    WAC exposes controls for enabling VBS and Memory Integrity (HVCI). These features isolate sensitive processes in a hypervisor‑protected environment, blocking unsigned drivers and kernel exploits.

Windows Server security baseline not yet implemented as you can see 😉

 What’s New in Build 2511

Beyond security, version 2511 delivers refinements to the virtual machines tool, installer improvements, and bug fixes. Combined with the backend upgrade to .NET 8 in the earlier 2410 GA release, WAC is faster, more reliable, and better equipped for enterprise workloads.

Why It Matters

In today’s hybrid IT landscape, security and manageability must coexist. Windows Admin Center 2511 demonstrates Microsoft’s commitment to:

  • Unified management: One pane of glass for servers, clusters, and Azure Arc‑connected resources.
  • Compliance assurance: Built‑in baselines reduce audit headaches.
  • Future‑proof security: Hardware‑rooted trust and virtualization‑based isolation protect against evolving threats.

Final Thoughts

If you’re an IT admin preparing for Windows Server 2025 deployments, the new Windows Admin Center build is more than just a management tool—it’s a security enabler. By weaving in Secure Boot, TPM, DMA protection, and VBS, WAC ensures that your infrastructure isn’t just easier to manage, but fundamentally harder to compromise.

Here you find the Microsoft docs :

What is Secured-core server for Windows Server | Microsoft Learn

OSConfig overview for Windows Server | Microsoft Learn

How System Guard helps protect Windows | Microsoft Learn

Kernel DMA Protection | Microsoft Learn

Secure boot | Microsoft Learn

Trusted Plaform Module (TPM) 2.0 | Microsoft Learn

Virtualization-based Security (VBS) | Microsoft Learn

Enable memory integrity | Microsoft Learn

What is Windows Admin Center Virtualization Mode (Preview)?

Windows Admin Center Virtualization Mode is a purpose-built management experience for virtualization infrastructure. It enables IT professionals to centrally administer Hyper-V hosts, clusters, storage, and networking at scale.

Unlike administration mode, which focuses on general system management, Virtualization Mode focuses on fabric management. It supports parallel operations and contextual views for compute, storage, and network resources. This mode is optimized for large-scale, cluster-based environments and integrates lifecycle management, global search, and role-based access control.

Virtualization Mode offers the following key capabilities:

  • Search across navigation objects with contextual filtering.
  • Support for SAN, NAS, hyperconverged, and scale-out file server architectures.
  • VM templates, integrated disaster recovery with Hyper-V Replica, and onboarding of Arc-enabled resources (future capability).
  • Software-defined storage and networking (not available at this time).

Install Windows Admin Center Virtualization Mode

Test all these New features of Windows Admin Center and Windows Server in your test environment and be ready for production when it becomes general available. Download Windows Admin Center 2511 Preview here


by Leave a comment

Docker Desktop 4.51.0 Kubernetes Gets a Major Update

Docker Desktop continues to evolve as the go-to platform for containerized development, and the latest release — version 4.51.0 — brings exciting new capabilities for developers working with Kubernetes.

What’s New in 4.51.0

  1. Kubernetes Resource Setup Made Simple

One of the standout features in this release is the ability to set up Kubernetes resources directly from a new view inside Docker Desktop. This streamlined interface allows developers to configure pods, services, and deployments without leaving the Desktop environment. It’s a huge step toward making Kubernetes more approachable for teams who want to focus on building rather than wrestling with YAML files.

  1. Real-Time Kubernetes Monitoring

The new Kubernetes view also provides a live display of your cluster state. You can now see pods, services, and deployments update in real time, making it easier to spot issues, monitor workloads, and ensure everything is running smoothly.

  1. Smarter Dependency Management

Docker Desktop now integrates improvements with Kind (Kubernetes in Docker), ensuring that only required dependency images are pulled if they aren’t already available locally. This reduces unnecessary downloads and speeds up cluster setup.

  1. Updated Core Components
  • Docker Engine v28.5.2 ships with this release, ensuring stability and performance improvements.
  • Enhanced Linux kernel support for smoother Kubernetes operations.

Why This Matters

Kubernetes has a reputation for being complex for some people, but Docker Desktop 4.51.0 is working to change that. By embedding Kubernetes resource management and monitoring directly into the Desktop experience, Docker is lowering the barrier to entry for developers and teams. Whether you’re experimenting with microservices or managing production-like environments locally, these new features make Kubernetes more accessible and intuitive.

Getting Started

To try out these new features:

  1. Update to Docker Desktop 4.51.0.
  2. Open the new Kubernetes view to configure resources.
  3. Watch your pods, services, and deployments update in real time.

Update available with New Kubernetes UI
Click on Download Update

Click on Create Cluster

Here you can select a Single Node Cluster or with Kind a Multi-Node Cluster.
I selected for a Single node cluster.

Click on Install

Here is your Single Node Kubernetes Cluster running with version 1.34.1

Kubectl get nodes

My Nginx Container app is running on Kubernetes in Docker Desktop 😉

Final Thoughts

Docker Desktop 4.51.0 is more than just an incremental update — it’s a meaningful step toward bridging the gap between container development and Kubernetes orchestration. With simplified setup and real-time monitoring, developers can spend less time configuring and more time innovating. 🐳

Here you find more information about Docker Desktop and Kubernetes Clustering

 


by Leave a comment

Docker Desktop Container Images and Azure Cloud App Services

Docker Desktop and Azure App Cloud Services

Expanded Architecture: Docker developer environment with Azure Cloud Services.

Development Environment

  • Docker Desktop + Tools: Visual Studio Code, Azure CLI, Docker Scout, AI, MCP
  • Docker Scout CLI: Compares image versions, detects CVEs, integrates with pipelines

Container Host (Windows Server 2025 Core)

  • Hyper-V Isolated Containers: For enhanced security
  • Workloads: Microservices, legacy apps, AI containers
  • GitOps Operator: Automated deployment via Git repositories
  • Azure Arc Agent: Connects on-prem host to Azure Control Plane

Here you find more information about Docker on Windows Server 2025 Core

Your Windows 11 Laptop with Docker Desktop

☁️ Azure Cloud Integrations

Component Function
Azure App Service (Docker) Hosts web apps as Docker containers with autoscaling and Key Vault integration
Azure DevOps + Pipelines CI/CD for image build, scan, push, and deployment
Azure Copilot Security AI-driven security recommendations and policy analysis
Azure Container Registry (ACR) Secure storage and distribution of container images
Azure Key Vault Secrets management: API keys, passwords, certificates
Microsoft Defender for Cloud Runtime protection, image scanning, threat detection
Azure Policy & RBAC Governance and access control
Azure Monitor + Sentinel Logging, metrics, threat detection
Azure Update Manager Hotpatching of Windows and container images without reboot

More information on Strengthening Container Security with Docker Hardened Images and Azure Container Registry

DevSecOps Workflow

  1. Build & Harden Image → Dockerfile + SBOM
  2. Scan with Docker Scout → CLI or pipeline
  3. Push to ACR → With signing and RBAC
  4. Deploy via Azure DevOps Pipelines → App Service or Arc-enabled host
  5. Inject Secrets via Key Vault → Automatically at runtime
  6. Monitor & Patch → Azure Monitor + Update Manager
  7. Audit & Alerting → Azure Sentinel + Defender
  8. Security Guidance → Copilot Security analyzes policies and offers recommendations

Example of Deploying a custom container to Azure App Service with Azure Pipelines

Microsoft Azure App Service is really scalable for Docker App Solutions:

Azure App Service is designed to scale effortlessly with your application’s needs. Whether you’re hosting a simple web app or a complex containerized microservice, it offers both vertical scaling (upgrading resources like CPU and memory) and horizontal scaling (adding more instances). With built-in autoscaling, you can respond dynamically to traffic spikes, scheduled workloads, or performance thresholds—without manual intervention or downtime.

From small startups to enterprise-grade deployments, App Service adapts to demand with precision, making it a reliable platform for modern, cloud-native applications.

Scale Up Features and Capacities Learn how to increase CPU, memory, and disk space by changing the pricing tier

Enable Automatic Scaling (Scale Out) Configure autoscaling based on traffic, schedules, or resource metrics

Per-App Scaling for High-Density Hosting Scale individual apps independently within the same App Service Plan

Conclusion

For modern developers, the combination of Azure App Services and Docker Desktop offers a powerful, flexible, and scalable foundation for building, testing, and deploying cloud-native applications.

  • Developers can build locally with Docker, ensuring consistency and portability.
  • Then deploy seamlessly to Azure App Services, leveraging its cloud scalability and integration.
  • This workflow reduces configuration drift, accelerates testing cycles, and improves team collaboration.


by Leave a comment

Windows Server 2025 Core and Docker – A Modern Container Host Architecture

As businesses race toward cloud-native infrastructure and microservices, Windows Server 2025 Core emerges as a lean, powerful platform for hosting Docker containers. With its minimal footprint and robust security posture, Server Core paired with Docker offers a compelling solution for modern application deployment.

Architecture Design: Windows Server Core + Docker

Windows Server 2025 Core is a headless, GUI-less version of Windows Server designed for performance and security. When used as a Docker container host, it provides:

  • Lightweight OS footprint: Reduces attack surface and resource consumption.
  • Hyper-V isolation: Enables secure container execution with kernel-level separation.
  • Support for Nano Server and Server Core images: Ideal for running Windows-based microservices.
  • Integration with Azure Kubernetes Service (AKS): Seamless orchestration in hybrid environments.

Key Components

Component Role in Architecture
Windows Server 2025 Core Host OS with minimal services
Docker Engine Container runtime for managing containers
Hyper-V Optional isolation layer for enhanced security
PowerShell / CLI Tools Management and automation
Windows Admin Center GUI-based remote management

Installation Guide

Setting up Docker on Windows Server 2025 Core is straightforward but requires precision. Here’s a simplified walkthrough:

Windows Server 2025 Datacenter Core running

  1. Install Required Features

Use PowerShell to install Hyper-V and Containers features:

Install-WindowsFeature -Name Hyper-V, Containers -IncludeManagementTools -Restart

  1. Install Docker

Download and install Docker from the official source or use the PowerShell script provided by Microsoft:

Invoke-WebRequest “https://download.docker.com/win/static/stable/x86_64/docker-28.4.0.zip” -OutFile “docker.zip”

Unzip and configure Docker as a service:

at Docker directory to your path

Add the Docker config directory

Set the daemon

Create the Docker Service

net start docker

docker version

Docker Host on Windows Server 2025 Core is Installed 😉

  1. Configure Networking

Ensure proper NAT or transparent networking for container communication.

  1. Pull Base Images

Use Docker CLI to pull Windows container images:

docker pull mcr.microsoft.com/windows/servercore:ltsc2025

  1. Test Deployment

Run a sample Windows Server 2025 core container:

docker run -it mcr.microsoft.com/windows/servercore:ltsc2025

Inside the Windows Server 2025 Core Container on the Docker host.

Best Practices

To maximize reliability, security, and scalability:

  • Use Hyper-V isolation for sensitive workloads.
  • Automate deployments with PowerShell scripts or CI/CD pipelines.
  • Keep base images updated to patch vulnerabilities.
  • Monitor containers using Azure Arc monitoring or Windows Admin Center.
  • Limit container privileges and avoid running as Administrator.
  • Use volume mounts for persistent data storage.

Conclusion: Why It Matters

For developers, Windows Server 2025 Core with Docker offers:

  • Fast iteration cycles with isolated environments.
  • Consistent dev-to-prod workflows using container images.
  • Improved security with minimal OS footprint and Hyper-V isolation.

For businesses, the benefits are even broader:

  • Reduced infrastructure costs via efficient resource usage.
  • Simplified legacy modernization by containerizing Windows apps.
  • Hybrid cloud readiness with Azure integration and Kubernetes support.
  • Scalable architecture for microservices and distributed systems.

Windows Server 2025 Core isn’t just a server OS—it’s a launchpad for modern, secure, and scalable containerized applications. Whether you’re a developer building the next big thing or a business optimizing legacy systems, this combo is worth the investment.

Integrating Azure Arc into the Windows Server 2025 Core + Docker Architecture for Adaptive Cloud

Overview

Microsoft Azure Arc extends Azure’s control plane to your on-premises Windows Server 2025 Core container hosts. By onboarding your Server Core machines as Azure Arc–enabled servers, you gain unified policy enforcement, monitoring, update management, and GitOps-driven configurations—all while keeping workloads close to the data and users.

Architecture Extension

  • Azure Connected Machine Agent
    Installs on Windows Server 2025 Core as a Feature on Demand, creating an Azure resource that represents your physical or virtual machine in the Azure portal.
  • Control Plane Integration
    Onboarded servers appear in Azure Resource Manager (ARM), letting you apply Azure Policy, role-based access control (RBAC), and tag-based cost tracking.
  • Hybrid Monitoring & Telemetry
    Azure Monitor collects logs and metrics from Docker Engine, container workloads, and host-level performance counters—streamlined into your existing Log Analytics workspaces.
  • Update Management & Hotpatching
    Leverage Azure Update Manager to schedule Windows and container image patches. Critical fixes can even be applied via hotpatching on Arc-enabled machines without a reboot.
  • GitOps & Configuration as Code
    Use Azure Arc–enabled Kubernetes to deploy container workloads via Git repositories, or apply Desired State Configuration (DSC) policies to Server Core itself.

Adaptive Cloud Features Enabled

  • Centralized Compliance
    Apply Azure Policies to enforce security baselines across every Docker host, ensuring drift-free configurations.
  • Dynamic Scaling
    Trigger Azure Automation runbooks or Logic Apps when performance thresholds are breached, auto-provisioning new container hosts.
  • Unified Security Posture
    Feed security alerts from Microsoft Defender for Cloud into Azure Sentinel, correlating threats across on-prem and cloud.
  • Hybrid Kubernetes Orchestration
    Extend AKS clusters to run on Arc-connected servers, enabling consistent deployment pipelines whether containers live on Azure or in your datacenter.

More information about Innovate on an Adaptive Cloud here

Integration Walkthrough

  1. Prepare your Server Core host (ensure Hyper-V, Containers, and Azure Arc Feature on Demand are installed).
  2. Install Azure Arc agent via Azure PowerShell
  3. In the Azure portal, navigate to Azure Arc > Servers, and verify your machine is onboarded.
  4. Enable Azure Policy assignments, connect to a Log Analytics workspace, and turn on Update Management.
  5. (Optional) Deploy the Azure Arc GitOps operator for containerized workloads across hybrid clusters.

Visualizing Azure Arc in Your Diagram

Above your existing isometric architecture, add a floating “Azure Cloud Control Plane” layer that includes:

  • ARM with Policy assignments
  • Azure Monitor / Log Analytics
  • Update Manager + Hotpatch service
  • GitOps repo integrations

Draw data and policy-enforcement arrows from this Azure layer down to your Windows Server Core “building,” Docker cube, container workloads, and Hyper-V racks—demonstrating end-to-end adaptive management.

Why It Matters

Integrating Azure Arc transforms your static container host into an adaptive cloud-ready node. You’ll achieve:

  • Consistent governance across on-prem and cloud
  • Automated maintenance with zero-downtime patching
  • Policy-driven security at scale
  • Simplified hybrid Kubernetes and container lifecycle management

With Azure Arc, your Windows Server 2025 Core and Docker container hosts become full citizens of the Azure ecosystem—securing, monitoring, and scaling your workloads wherever they run.

Better Together 🐳

 


by Leave a comment

Docker Scout, stripped down: comparing what changed and securing what matters (CLI only)

Docker Scout version 1.18.2

There’s a quiet moment after every deploy where you ask yourself: what actually changed? Not just the feature—you know that—but the stuff beneath it. Packages. Base images. Vulnerabilities that slipped in while you were busy shipping. Docker Scout’s CLI gives you the flashlight for that dark room. No dashboards. No detours. Just commands, signal, and the truth.

In July 2025 I wrote a blogpost about Docker Scout for Vulnerability management of Containers and remediation

Docker Scout Compare is quite significant for container security, especially in modern DevSecOps workflows. Here’s why it matters:

🔍 What Docker Scout Compare Does

  • Image Comparison: It analyzes two Docker images—typically a new build vs. a production version—and highlights differences in vulnerabilities, packages, and policies.
  • Security Insights: It identifies newly introduced CVEs (Common Vulnerabilities and Exposures), changes in package versions, and policy violations between image versions.
  • SBOM Integration: It uses Software Bill of Materials (SBOMs) to trace dependencies and match them against vulnerability databases.

🛡️ Why It’s Important for Security

  • Proactive Risk Management: By comparing images before deployment, teams can catch regressions or newly introduced vulnerabilities early.
  • Supply Chain Transparency: Helps track changes across the container supply chain, which is crucial for preventing issues like Log4Shell.
  • CI/CD Integration: Fits seamlessly into automated pipelines, ensuring every image update is vetted for security before release.

⚙️ Key Features That Boost Its Value

Feature Benefit
Continuous vulnerability scanning Keeps your images secure over time, not just at build time
Filtering options Focus on critical or fixable CVEs, ignore unchanged packages, etc.
Markdown/Text reports Easy to integrate into documentation or dashboards
Multi-stage build analysis Understand security across complex Dockerfiles

🧠 Bottom Line

If you’re serious about container security, Docker Scout Compare isn’t just helpful—it’s becoming essential. It gives developers and security teams a clear view of what’s changing and whether those changes introduce risk.

The heart of change: compare old vs new, precisely

You built a new image. What did you add? What did you remove? What got better—or worse?
Here are some Docker scout compare CLI commands:

# Compare prod vs new build

docker scout compare –to myapp:prod myapp:sha-123

# Focus on meaningful risk changes (ignore base image CVEs)

docker scout compare –to myapp:prod myapp:sha-123 –ignore-base

# Show only high/critical that are fixable

docker scout compare –to myapp:prod myapp:sha-123 –only-severity high,critical –only-fixed

# Fail when security gets worse (perfect for CI)

docker scout compare –to myapp:prod myapp:sha-123 –exit-on vulnerability

Here you find more about Docker Scout Compare 🐳

In my case I will do a Docker Scout compare between these two images:

docker scout compare –to azure-cli-patched:latest mcr.microsoft.com/azure-cli:azurelinux3.0

Compare results between the two images.

Compare results between the two images, here you see the Fixed vulnerability differences.

Conclusion

🔐 Final Thoughts: Docker Scout Compare CLI & Security

In today’s fast-paced development landscape, security can’t be an afterthought—it must be woven into every stage of the software lifecycle. Docker Scout Compare CLI empowers teams to do just that by offering a clear, actionable view of how container images evolve and what risks they may introduce. Its ability to pinpoint new vulnerabilities, track dependency changes, and integrate seamlessly into CI/CD pipelines makes it a vital tool for modern DevSecOps.

By embracing Docker Scout Compare, organizations move from reactive patching to proactive prevention—turning container security from a bottleneck into a strategic advantage. 🚀


by Leave a comment

Installing Windows Server vNext Preview Build 26461

Updating Windows Server Insider Preview Build to version 26461.1001

On August 7, 2025, Microsoft dropped a fresh Insider Preview build for Windows Server vNext—Build 26461—and it’s packed with innovations aimed at enterprise resilience, storage performance, and hybrid cloud readiness. Whether you’re a datacenter architect or a curious sysadmin, this build offers a glimpse into the future of Windows Server 2025.

Rack Level Nested Mirror (RLNM) for S2D Campus Cluster

One of the headline features is Rack Level Nested Mirror (RLNM) for Storage Spaces Direct (S2D) Campus Clusters. This enhancement is designed to meet NIS2 compliance for multi-room data redundancy in industrial environments.

Key capabilities:

  • Enables fast and resilient storage across multiple racks or rooms.
  • Supports all-flash storage (SSD/NVMe) with RDMA NICs (iWARP, RoCE, InfiniBand).
  • Requires defining rack fault domains during cluster setup.
  • Supports four-copy volumes with both fixed and thin provisioning.

This is a game-changer for factories and enterprises needing high availability across physical fault domains.

Under the Hood: Germanium Codebase

Build 26461 is based on the Germanium codebase, aligning with the broader Windows 11 ecosystem. It supports both AMD64 and ARM64 architectures and was compiled on July 31, 2025.

Final Thoughts

Windows Server vNext Build 26461 is more than just a preview—it’s a blueprint for the next generation of enterprise-grade infrastructure. With RLNM, expanded deployment options, and tighter integration with Azure, Microsoft is clearly doubling down on hybrid cloud and high-availability scenarios.

You can explore the full announcement on Microsoft’s Community Hub. Enjoy your testing 🚀