Announcing Windows Server 2025 Security Baseline Preview
Announcing Windows Server 2025 Security Baseline Preview
Hello Windows Server Insiders!
Today we are pleased to announce the Windows Server 2025 Security Baseline Preview. You can enable security right from the start by applying the recommended security posture for your device or VM role through application of a tailored security baseline, with over 350 preconfigured Windows security settings that help you apply and enforce granular security settings that support best practices recommended by Microsoft and Industry standards. We have organized the Windows Server 2025 Security Baseline content into three categories based on your server role:
Domain Controller (DC)
Member Server
Workgroup Member
In addition, you can apply baselines with dedicated security settings specific to:
Windows Defender Antivirus (48)
Secured-Core (6)
Main Highlights of the security baseline are the following enforcements:
Secured-Core – UEFI MAT, Secure Boot, Signed Boot Chain
Account and password policies
Security Policies and Security Options
Protocols: TLS Enforced >1.2+, SMB 3.0+, Kerberos AES, etc.
Credentials Protections (LSASS/PPL)
And many more.
Please review the GitHub repository for what settings comprise of each definition:
Customer Experience:
The customer experience to apply baselines for individual machines, including image customizations are:
PowerShell cmdlets
Windows Admin Center (WAC)
For at-scale operations, you can apply baseline and monitor using Azure Policy and Azure Automanage Machine Configuration and see your compliance score.
The baseline experience is powered by ‘OSConfig – our newly introduced security configuration platform’. Once applied, your baseline settings are protected from any drift automatically, which is one of the key features of the security platform.
The WAC, Azure Policy and Azure Automanage Machine Configuration experiences will be released soon to the Windows Insider Program. This mechanism will not work for any earlier version of Windows Server.
1. Download prerelease modules from the PowerShell Gallery
If you have not previously configured your system to pull modules from the PowerShell Gallery, please do so using the following steps:
a. Open an elevated PowerShell window (not the x86 version)
b. Run Install-PackageProvider NuGet, PowerShellGet -Force
c. Open a new elevated PowerShell window
d. Run Set-PSRepository -Name PSGallery -InstallationPolicy Trusted
2. Install the OSConfig PowerShell module
Run Install-Module -Name Microsoft.OSConfig -AllowPrerelease -Scope AllUsers -Repository PSGallery -Force
To verify if the OSConfig module is installed, run Get-Module -ListAvailable -Name Microsoft.OSConfig
3. Apply the Security Baseline via PowerShell cmdlets
For domain-joined device, run Set-OSConfigDesiredConfiguration -Scenario SecurityBaselineWS2025MemberServer -Default
For workgroup device, run Set-OSConfigDesiredConfiguration -Scenario SecurityBaselineWS2025WorkgroupMember -Default
For domain controller device, run Set-OSConfigDesiredConfiguration -Scenario SecurityBaseline/WS2025/DomainController -Default
For Secured-core, Run Set-OSConfigDesiredConfiguration -Scenario SecuredCore -Default
For Defender Antivirus, Run Set-OSConfigDesiredConfiguration -Scenario DefenderAntivirus -Default
Restart machine
4. Customize the Security Baseline via PowerShell cmdlets
Example using AuditDetailedFileShare for Member Server device (where the default value is 2)
Run Set-OSConfigDesiredConfiguration -Scenario SecurityBaselineWS2025MemberServer -Name AuditDetailedFileShare -Value 3
Run Get-OSConfigDesiredConfiguration -Scenario SecurityBaselineWS2025MemberServer -Name AuditDetailedFileShar
Check that the value is now 3.
5. View compliance of the Security Baseline via PowerShell cmdlets
Run Get-OSConfigDesiredConfiguration -Scenario SecuredCoreState
Run Get-OSConfigDesiredConfiguration -Scenario SecurityBaselineWS2025MemberServer | ft Name, @{ Name = “Status”; Expression={$_.Compliance.Status} }, @{ Name = “Reason”; Expression={$_.Compliance.Reason} } -AutoSize -Wrap
6. Most Common tasks impacted/Known Issues after applying baseline
Note: (Please read before exercising the scenario! Also, these scripts are for preview only and should not be used in production.)
Password requirements are Complexity and Minimum of 14-character length. This only applies to local user accounts; when signing in with a domain account, domain requirements prevail for domain accounts.
TLS connections are subject to a minimum of TLS/DTLS 1.2 or higher. May prevent connections to older systems.
Copy/Paste from RDP sessions is disabled. If you need to use this function, run: Set-OSConfigDesiredConfiguration -Scenario SecurityBaselineWS2025[role being applied] -Name RemoteDesktopServicesDoNotAllowDriveRedirection -Value 0 and then reboot.
SMB connections are subject to a minimum of 3.0 or higher (available as of WS2012). Connecting to non-windows systems (like Linux SAMBA) must support SMB 3.0, or adjustments to the baseline are needed.
You may run into a few user rights errors depending on your domain configuration. It does not impact the rest of the security baseline and can be ignored. We are working on fixing it. See MSLearn doc for details.
If you are configuring the same settings with two different tools (one being OSConfig in this case), there will be conflicts, especially with drift control involved. See MSLearn doc for details.
In case you are blocked or experiencing a work disruption after applying the security baseline:
File a bug in feedback hub under Category Windows Server-> Security Configuration Management
You should preview the security baseline only on test systems. While there is a ‘Remove’ command, not all configurations can be reversed.
Open an elevated PowerShell window, run Remove-OSConfigDesiredConfiguration -Scenario SecurityBaselineWS2025MemberServer and then reboot.
We value your feedback!
Please provide feedback as to what is working and what needs to be improved as your feedback is extremely valued to make the product experience better. Please use Feedback Hub app for Windows Server 2025. Category: Windows Server->Security Configuration Management
What’s coming?
We will also share a Windows Admin Center, Azure Policy and Azure Automanage Machine Configuration experience, to try out for getting full E2E experience & Application control for Windows Insider Program!!
Announcing Windows Server 2025 Security Baseline Preview
Hello Windows Server Insiders!
Today we are pleased to announce the Windows Server 2025 Security Baseline Preview. You can enable security right from the start by applying the recommended security posture for your device or VM role through application of a tailored security baseline, with over 350 preconfigured Windows security settings that help you apply and enforce granular security settings that support best practices recommended by Microsoft and Industry standards. We have organized the Windows Server 2025 Security Baseline content into three categories based on your server role:
Domain Controller (DC)
Member Server
Workgroup Member
In addition, you can apply baselines with dedicated security settings specific to:
Windows Defender Antivirus (48)
Secured-Core (6)
Main Highlights of the security baseline are the following enforcements:
Secured-Core – UEFI MAT, Secure Boot, Signed Boot Chain
Account and password policies
Security Policies and Security Options
Protocols: TLS Enforced >1.2+, SMB 3.0+, Kerberos AES, etc.
Credentials Protections (LSASS/PPL)
And many more.
Please review the GitHub repository for what settings comprise of each definition:
https://github.com/microsoft/osconfig/blob/main/security/SecurityBaseline_WindowsServer_2025-2409.csv
Customer Experience:
The customer experience to apply baselines for individual machines, including image customizations are:
PowerShell cmdlets
Windows Admin Center (WAC)
For at-scale operations, you can apply baseline and monitor using Azure Policy and Azure Automanage Machine Configuration and see your compliance score.
The baseline experience is powered by ‘OSConfig – our newly introduced security configuration platform’. Once applied, your baseline settings are protected from any drift automatically, which is one of the key features of the security platform.
The WAC, Azure Policy and Azure Automanage Machine Configuration experiences will be released soon to the Windows Insider Program. This mechanism will not work for any earlier version of Windows Server.
1. Download prerelease modules from the PowerShell Gallery
If you have not previously configured your system to pull modules from the PowerShell Gallery, please do so using the following steps:
a. Open an elevated PowerShell window (not the x86 version)
b. Run Install-PackageProvider NuGet, PowerShellGet -Force
c. Open a new elevated PowerShell window
d. Run Set-PSRepository -Name PSGallery -InstallationPolicy Trusted
2. Install the OSConfig PowerShell module
Run Install-Module -Name Microsoft.OSConfig -AllowPrerelease -Scope AllUsers -Repository PSGallery -Force
To verify if the OSConfig module is installed, run Get-Module -ListAvailable -Name Microsoft.OSConfig
3. Apply the Security Baseline via PowerShell cmdlets
For domain-joined device, run Set-OSConfigDesiredConfiguration -Scenario SecurityBaselineWS2025MemberServer -Default
For workgroup device, run Set-OSConfigDesiredConfiguration -Scenario SecurityBaselineWS2025WorkgroupMember -Default
For domain controller device, run Set-OSConfigDesiredConfiguration -Scenario SecurityBaseline/WS2025/DomainController -Default
For Secured-core, Run Set-OSConfigDesiredConfiguration -Scenario SecuredCore -Default
For Defender Antivirus, Run Set-OSConfigDesiredConfiguration -Scenario DefenderAntivirus -Default
Restart machine
4. Customize the Security Baseline via PowerShell cmdlets
Example using AuditDetailedFileShare for Member Server device (where the default value is 2)
Run Set-OSConfigDesiredConfiguration -Scenario SecurityBaselineWS2025MemberServer -Name AuditDetailedFileShare -Value 3
Run Get-OSConfigDesiredConfiguration -Scenario SecurityBaselineWS2025MemberServer -Name AuditDetailedFileShar
Check that the value is now 3.
5. View compliance of the Security Baseline via PowerShell cmdlets
Run Get-OSConfigDesiredConfiguration -Scenario SecuredCoreState
Run Get-OSConfigDesiredConfiguration -Scenario SecurityBaselineWS2025MemberServer | ft Name, @{ Name = “Status”; Expression={$_.Compliance.Status} }, @{ Name = “Reason”; Expression={$_.Compliance.Reason} } -AutoSize -Wrap
6. Most Common tasks impacted/Known Issues after applying baseline
Note: (Please read before exercising the scenario! Also, these scripts are for preview only and should not be used in production.)
Password requirements are Complexity and Minimum of 14-character length. This only applies to local user accounts; when signing in with a domain account, domain requirements prevail for domain accounts.
TLS connections are subject to a minimum of TLS/DTLS 1.2 or higher. May prevent connections to older systems.
Copy/Paste from RDP sessions is disabled. If you need to use this function, run: Set-OSConfigDesiredConfiguration -Scenario SecurityBaselineWS2025[role being applied] -Name RemoteDesktopServicesDoNotAllowDriveRedirection -Value 0 and then reboot.
SMB connections are subject to a minimum of 3.0 or higher (available as of WS2012). Connecting to non-windows systems (like Linux SAMBA) must support SMB 3.0, or adjustments to the baseline are needed.
You may run into a few user rights errors depending on your domain configuration. It does not impact the rest of the security baseline and can be ignored. We are working on fixing it. See MSLearn doc for details.
If you are configuring the same settings with two different tools (one being OSConfig in this case), there will be conflicts, especially with drift control involved. See MSLearn doc for details.
In case you are blocked or experiencing a work disruption after applying the security baseline:
File a bug in feedback hub under Category Windows Server-> Security Configuration Management
You should preview the security baseline only on test systems. While there is a ‘Remove’ command, not all configurations can be reversed.
Open an elevated PowerShell window, run Remove-OSConfigDesiredConfiguration -Scenario SecurityBaselineWS2025MemberServer and then reboot.
We value your feedback!
Please provide feedback as to what is working and what needs to be improved as your feedback is extremely valued to make the product experience better. Please use Feedback Hub app for Windows Server 2025. Category: Windows Server->Security Configuration Management
What’s coming?
We will also share a Windows Admin Center, Azure Policy and Azure Automanage Machine Configuration experience, to try out for getting full E2E experience & Application control for Windows Insider Program!! Read More
