Windows Server 2025 is now available on our VPS hosting platform, and every instance includes virtual TPM (Trusted Platform Module) support. This is Microsoft’s most security-focused server release yet, and the virtual TPM is what unlocks most of the new security features.
What virtual TPM means for your VPS
A Trusted Platform Module is a hardware chip (or in our case, a virtual equivalent) that provides a secure enclave for cryptographic keys and sensitive operations. On physical servers, TPM is a chip on the motherboard. On a VPS, we emulate it through vTPM, giving your Windows virtual server the same security capabilities as a physical machine.
TPM 2.0 is now a baseline requirement for Windows Server 2025. Without it, many of the new security features simply don’t work. Here’s what vTPM enables on your Windows VPS:
BitLocker drive encryption: Encrypt your VPS disk at rest. BitLocker uses the TPM to seal encryption keys, so the disk can only be unlocked on the same virtual machine. If someone were to copy the virtual disk, they couldn’t read it without the TPM-sealed keys.
Credential Guard: Uses Virtualization-Based Security (VBS) to isolate NTLM password hashes and Kerberos tickets in a protected virtual environment. Even if malware compromises the OS, it can’t extract credentials from memory. This blocks Pass-The-Hash and Pass-The-Ticket attacks, which are among the most common techniques for lateral movement in Windows networks. Microsoft enables Credential Guard by default on Windows Server 2025 when the prerequisites (TPM 2.0, Secure Boot) are met.
Measured Boot: The TPM records measurements of each component in the boot process (firmware, bootloader, kernel). If any component has been tampered with, the measurements won’t match and the system can detect the compromise. This protects against rootkits and boot-level malware.
Device attestation: Remote services can verify that your VPS is running an untampered OS with the expected security configuration. Useful for compliance scenarios where you need to prove your server’s integrity.
What else is new in Windows Server 2025
Beyond vTPM, Windows Server 2025 brings substantial improvements:
SMB over QUIC: Access Windows file shares securely over the internet without a VPN. QUIC provides TLS 1.3 encryption at the transport layer, so SMB traffic is protected even on untrusted networks. This is useful for remote offices and mobile workers who need to access file shares hosted on a Windows VPS.
SMB hardening: Hardened firewall defaults, brute force attack prevention, and protections against man-in-the-middle, relay, and spoofing attacks. The SMB stack in Server 2025 is significantly more secure out of the box than previous versions.
Active Directory improvements: Better scalability, improved authentication protocols, stronger encryption defaults, and new cryptographic support. If you run a domain controller on a Windows VPS, these improvements matter for both security and performance.
Delegated Managed Service Accounts (dMSA): Eliminates manual password management for service accounts. Active Directory handles password rotation automatically, with better visibility and logging. This reduces one of the most common security gaps in Windows environments: stale service account passwords.
Hotpatching via Azure Arc: Apply security patches without rebooting. If you manage your VPS through Azure Arc, you can receive critical security updates that take effect immediately, reducing the window of vulnerability and eliminating reboot downtime for patches.
TLS 1.3 everywhere: Building on Server 2022’s TLS 1.3 support, Server 2025 extends it to more components and hardens the default cipher suites further.
Common use cases for Windows Server 2025
- IIS web hosting: Run ASP.NET and ASP.NET Core applications on Windows VPS with the latest IIS, now with stronger TLS defaults
- SQL Server: Host databases with BitLocker-encrypted storage and Credential Guard protecting database service credentials
- Remote Desktop Services: Provide remote desktops to teams with SMB over QUIC for secure file access
- Active Directory: Run domain controllers with the latest AD security improvements and dMSA
- File servers: Share files securely over the internet using SMB over QUIC without exposing a VPN
- Compliance-sensitive workloads: Healthcare, finance, and government applications that require disk encryption, credential isolation, and boot integrity verification
Older Windows Server versions still available
You can still deploy Windows Server 2022, 2019, 2016, 2012, and 2008 from the Client Portal if you need them. We also offer Windows 7 and Windows 10 for remote desktop use cases. We’re a licensed Microsoft partner, so licensing is included with every Windows VPS.
How to deploy
Log into the Client Portal, create a new Windows VPS, and select Windows Server 2025 as your OS template. Virtual TPM is included automatically at no extra cost. Your server is ready in minutes.
For dedicated servers, Windows Server 2025 can be installed during provisioning with physical TPM support. Contact us if you need a specific edition or additional Microsoft software.