Blog Post

ITOps Talk Blog
2 MIN READ

Using OSConfig to manage Windows Server 2025 security baselines

OrinThomas's avatar
OrinThomas
Icon for Microsoft rankMicrosoft
May 21, 2025

OSConfig is a security configuration and compliance management tool introduced as a PowerShell module for use with Windows Server 2025. It enables you to enforce security baselines, automate compliance, and prevent configuration drift on Windows Server 2025 computers.

OSConfig is a security configuration and compliance management tool introduced as a PowerShell module for use with Windows Server 2025. It enables you to enforce security baselines, automate complian...
Updated May 21, 2025
Version 3.0
powershell
security
Windows Server
Andreas_Hartig's avatar
Andreas_Hartig
Brass Contributor
May 21, 2025

Thanks for sharing. OrinThomas​ while it is mentioned in the documentation and by most OSconfig content, I couldn't find a way to create a customized baseline so far. Do you have you a link on how to create a customized baseline?

  • Carlos_Mayol's avatar
    Carlos_Mayol
    Icon for Microsoft rankMicrosoft
    May 21, 2025

    Hello Andreas, Configure security baselines for Windows Server 2025 | Microsoft Learn

    You can customize any setting using -value parameter instead of the "-default" as per setting name, example:  Set-OSConfigDesiredConfiguration -Scenario SecurityBaseline\WS2025\MemberServer -Setting MessageTextUserLogon -Value "Welcome"

    Today, if you want customize settings, the best way it to create a script that applies the default for all the settings and then you customize the ones you need (1 Set line per Setting customization).

    Additionally, while customizing, I recommend checking the compliance status, as a very new concept, we added "ranges" of expected values, you can find them in our documentation, so ideally you will keep the non-default values within "expected range" so we keep you in the Green/Compliance side.

     

    Hope this helps, 

    • Andreas_Hartig's avatar
      Andreas_Hartig
      Brass Contributor
      Jul 14, 2025

      Carlos_Mayol​ thanks for getting back to me. You do recommend a valid approach, but from a customer experiance I would like to have a new baseline created based on the security requirments and a reporting tool for IT-Sec showing the differentiators. Running a massive amount of individual scripts to make settings and the current reporting is not a good customer value delivered.

      In a perfect world.

      1. We want to create our own baseline in Excel
      2. Compare server values with the baseline and get an excel / csv report
      3. Use PowerBi or Reporting Tools to show the real world gaps, how often they do occur on what system / AD OU / OS / region / IP Subnet and from there "fix" the compliance issues.

      Don't get me wrong I am excited on how simple the OSConfig is, but in the current state the tool will hardly be used by customers as we need to develop all the reporting / comparing or wait for a third party to deliver on that.