Thanks for sharing. OrinThomas while it is mentioned in the documentation and by most OSconfig content, I couldn't find a way to create a customized baseline so far. Do you have you a link on how to create a customized baseline?
MicrosoftHello Andreas, Configure security baselines for Windows Server 2025 | Microsoft Learn
You can customize any setting using -value parameter instead of the "-default" as per setting name, example: Set-OSConfigDesiredConfiguration -Scenario SecurityBaseline\WS2025\MemberServer -Setting MessageTextUserLogon -Value "Welcome"
Today, if you want customize settings, the best way it to create a script that applies the default for all the settings and then you customize the ones you need (1 Set line per Setting customization).
Additionally, while customizing, I recommend checking the compliance status, as a very new concept, we added "ranges" of expected values, you can find them in our documentation, so ideally you will keep the non-default values within "expected range" so we keep you in the Green/Compliance side.
Hope this helps,
Carlos_Mayol thanks for getting back to me. You do recommend a valid approach, but from a customer experiance I would like to have a new baseline created based on the security requirments and a reporting tool for IT-Sec showing the differentiators. Running a massive amount of individual scripts to make settings and the current reporting is not a good customer value delivered.
In a perfect world.
Don't get me wrong I am excited on how simple the OSConfig is, but in the current state the tool will hardly be used by customers as we need to develop all the reporting / comparing or wait for a third party to deliver on that.
MicrosoftHello, and sorry for my late response here.
1 - We are working on something similar
2 - This is doable today, with the static baseline we have today
3 - This is doable using Azure policy (audit) and we are working to give you a fix option.
Thanks for the feedback!
