What’s Changed in This Release Candidate of Windows Server 2008 R2
Applies To: Windows Server 2008 R2
This document describes key changes to functionality between the beta and Release Candidate (RC) of Windows Server® 2008 R2.
Note
This document is not a comprehensive list of all the changes in Windows Server 2008 R2 RC but instead focuses on improvements in several areas including core services, security, and server management.
Unless otherwise specified, these items apply to all editions and installation options of Windows Server 2008 R2.
In this document:
Core services
Networking and mobility
Security
Server management
Miscellaneous
Core services
| Feature | Beta | RC |
|---|---|---|
Windows®-on-Windows 64-bit (WOW64) |
Installable |
Installed by default in the Server Core installation option. |
Windows Deployment Services |
The PXE Provider did not work in the beta release. |
The PXE Provider issue has been resolved, so you can use the Transport Server role service to network boot client computers. |
Networking and mobility
| Feature | Beta | RC |
|---|---|---|
DirectAccess smart card support |
Required Windows 7 Domain Functional Mode |
The option to enforce smart cards for all interactive logins has been removed from the DirectAccess Wizard. |
DirectAccess diagnostics |
Diagnostics support is greatly enhanced, including a Troubleshooting entry point within Control Panel. |
|
DirectAccess user experience |
Included Corporate Connectivity Notification |
Corporate Connectivity Notification has been removed. |
DirectAccess
This item applies to Windows Server 2008 R2 Standard, Windows Server 2008 R2 Enterprise, and Windows Server 2008 R2 Datacenter.
DirectAccess includes many improvements in smart card use, diagnostics, and user experience:
Smart cards. Smart card support no longer requires Windows Server 2008 R2 Domain Functional Mode. Smart card management has been simplified to focus on edge enforcement (rather than edge enforcement and local client enforcement). Beta feedback suggested that the local client enforcement option could create an increased number of support issues for organizations. Therefore, the option to enforce smart cards for all interactive logins is no longer available in the DirectAccess Wizard. Also, if a smart card is required, there is an enhanced user notification that is provided to help the user learn when a smart card is required.
.jpg "adc45d04-0c99-4ea0-8e45-72b44b29cfca")
Troubleshooting. Support for troubleshooting is enhanced, including a Windows Troubleshooting entry point within Control Panel. If a resource is not reachable (for example, a Web site fails to load), use Diagnose Connection in Internet Explorer or Troubleshoot problems entry points to help determine the cause of the issue.
.jpg "41c2a9cb-4abf-4136-a8dc-88ece81b14fc")
User experience. Corporate Connectivity Notification has been removed to simplify the user experience; only Internet Access is displayed. If a resource is not reachable, the user should use the troubleshooting features to determine the reason.
For more information, see the DirectAccess (https://go.microsoft.com/fwlink/?LinkId=150441) home page on Microsoft® TechNet.
Security
| Feature | Beta | RC |
|---|---|---|
Windows PowerShell™ cmdlets |
Windows PowerShell cmdlets have been added to facilitate building rule sets. |
|
AppLocker user interface |
The Windows Explorer administrative template can be configured to display a custom URL when AppLocker blocks an application. |
User Account Control
In the beta release, a user could change the notification level in the User Account Control (UAC) control panel without receiving a prompt for administrative credentials. The UAC control panel now runs in a high integrity process—changing the level of the UAC prompts for confirmation. When a user is logged on with a standard user account, that user must provide administrative credentials to change the default UAC notification level.
.jpg "8709f221-bf92-46b0-8d68-651c12a3d779")
AppLocker
The AppLocker UI includes a new administrative template, which can be configured by an administrator to display a customized URL when AppLocker blocks an application from starting. The message can be used to reduce help desk calls by directing users to a help desk intranet site.
To customize the administrative template, follow these steps:
Open the Group Policy Management snap-in, right-click a Group Policy object (GPO), and then click Edit.
In the Group Policy Management Editor snap-in, expand Administrative Templates, expand Windows Components, and then click Windows Explorer.
In the details pane, under Setting, double-click Set a support web page link.
Select Enabled, and then type a custom URL in the Support Web page URL text box.
.jpg "6e53d0c7-3b77-45fc-ba4e-828dbf348906")
Click OK.
New Windows PowerShell cmdlets, used in conjunction with the AppLocker UI, provide building blocks that help author, test, maintain, and troubleshoot AppLocker policies. These cmdlets allow an organization to build and import new AppLocker rules from event log information collected by running AppLocker in audit mode. As a result, these cmdlets help automate the IT processes required to build appropriate rule sets easily and confidently.
Print administrator delegation
On computers running Windows 7, the default permissions do not allow non-administrative users to perform any print administrative operations.
An administrator can now again delegate specific printer administrative tasks to non-administrative users, thereby reducing costs. No security risks are introduced because non-administrative personnel are not granted system administrative rights.
To add a printer by IP address or hostname, you must be a member of the local Administrators group or be granted the Manage Server permission.
Server management
| Feature | Beta | RC |
|---|---|---|
Windows Remote Management (WinRM) and Windows PowerShell remoting |
The default HTTP and HTTPS ports were 80 and 443, respectively. |
The default HTTP and HTTPS ports are 5985 and 5986, respectively. |
Server Migration Tools |
Cmdlets support IPv6 configuration migration and BranchCache™ feature migration. |
|
Virtual desktops and virtual desktop pools |
Separate redirectors were required for personal virtual desktops and virtual desktop pools. |
A single redirector is required for personal virtual desktops and virtual desktop pools. |
Remote Desktop Services |
Remote Desktop client access licenses were sold in packs of 5 and 20. |
Remote Desktop client access licenses can be purchased and installed individually. |
Remote Desktop Services |
A virtual machine that was assigned to a virtual desktop pool could not be rolled back to a previous snapshot when the user logged off. |
Virtual machines that are assigned to a virtual desktop pool can be rolled back to a pre-configured snapshot when the user logs off. |
Remote Desktop Services |
Multiple monitor support was limited to 10 monitors. |
Remote Desktop Connection (RDC) 7.0 enables support for up to 16 monitors. |
Remote Desktop Services |
RemoteApp programs could not be filtered by user account. |
RemoteApp programs can be filtered on a per-user basis to provide a customized view to different types of users within an organization. |
Remote Desktop Services |
When a Remote Desktop Session Host server ran in redirection mode, the Authenticated Users security group was not automatically added to the local Remote Desktop Users security group. |
When a Remote Desktop Session Host server runs in redirection mode, the Authenticated Users security group is added to the local Remote Desktop Users security group. If the server is changed from redirection mode to another mode, the Authenticated Users security group is removed from the local Remote Desktop Users security group. |
Remote Desktop Services |
Windows XP could not be used as the guest operating system in a virtual machine farm. |
Windows XP is supported as the guest operating system in a virtual machine farm. |
Remote Desktop Services |
Remote Desktop Web Access could be used to add one Remote Desktop Session Host server at a time. |
You can add multiple Remote Desktop Session Host servers to Remote Desktop Web Access by using a comma separated list. |
Remote Desktop Services |
For a personal virtual desktop, a computer name and virtual name were required. |
For a personal virtual desktop, only a computer name is required. This must be the NetBIOS name or the fully qualified domain name (FQDN) of the computer. |
Live Migration |
Not supported. |
Remote Desktop Virtualization Host supports Live Migration. |
Windows Remote Management and Windows PowerShell remoting
The default HTTP/HTTPS ports for Windows Remote Management (WinRM) and Windows PowerShell remoting have changed from 80/443 to 5985/5986 since the Beta release. This change provides a more secure default configuration by avoiding accidental exposure of the WinRM interface to Web traffic on an Internet-facing server.
As a result of this change, pre-RC and post-RC computers that are not configured properly cannot communicate. When pre-RC and post-RC computers are used together for remote management, either directly (by using the WinRM command-line tool or the WSMan APIs) or through an application that uses WinRM (such as Windows PowerShell or Event Collector), an error message occurs. This is the same error message that displays when the server has not been configured for WinRM traffic, because it is contacting the wrong port.
To avoid this issue, upgrade all computers by installing Windows 7 or Windows Server 2008 R2 or by installing WinRM 2.0.
Server Migration Tools
Server Migration Tools cmdlets now support the following migration scenarios:
IPv6 configuration migration
BranchCache feature migration
These improvements ease the process of migrating server roles, operating system settings, and data from an existing server that is running Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2 to a computer that is running Windows Server 2008 R2. For more information, see the BranchCache Migration Guide and the updated IP Configuration Migration Guide on the TechNet Migration portal (https://go.microsoft.com/fwlink/?LinkID=128554).
Miscellaneous
Hyper-V technology
Hyper-V™ technology provides processor compatibility settings to make it easier to use an older operating system and to make it easier to perform a live migration of a virtual machine to another physical computer with a different processor version. The Migrate to a physical computer with a different processor version setting ensures that the virtual machine uses only the features of the processor that are available on all versions of a virtualization-capable processor by the same processor manufacturer. It does not provide compatibility between different processor manufacturers. The setting is useful for high availability and backup and recovery scenarios because it makes it easier to move a highly available virtual machine to another node in a cluster or restore the virtual machine to different hardware.