Blog Post

ITOps Talk Blog
2 MIN READ

Using OSConfig to manage Windows Server 2025 security baselines

OrinThomas's avatar
OrinThomas
Icon for Microsoft rankMicrosoft
May 21, 2025

OSConfig is a security configuration and compliance management tool introduced as a PowerShell module for use with Windows Server 2025. It enables you to enforce security baselines, automate compliance, and prevent configuration drift on Windows Server 2025 computers.

OSConfig is a security configuration and compliance management tool introduced as a PowerShell module for use with Windows Server 2025. It enables you to enforce security baselines, automate compliance, and prevent configuration drift on Windows Server 2025 computers.

OSConfig has the following requirements:

  • Windows Server 2025 (OSConfig is not supported on earlier versions)
  • PowerShell version 5.1 or higher
  • Administrator privileges

OSConfig is available as a module from the PowerShell Gallery. You install it using the following command

Install-Module -Name Microsoft.OSConfig -Scope AllUsers -Repository PSGallery -Force

If prompted to install or update the NuGet provider, type Y and press Enter.

You can verify that the module is installed with:

Get-Module -ListAvailable -Name Microsoft.OSConfig

You can ensure that you have an up-to-date version of the module and the baselines by running the following command:

Update-Module -Name Microsoft.OSConfig

To check which OSConfig cmdlets are available, run:

Get-Command -Module Microsoft.OSConfig

 

Applying Security Baselines

OSConfig includes predefined security baselines tailored for different server roles: Domain Controller, Member Server, and Workgroup Member. These baselines enforce over 300 security settings, such as TLS 1.2+, SMB 3.0+, credential protections, and more.

Server Role

Command

Domain Controller

 
Set-OSConfigDesiredConfiguration -Scenario SecurityBaseline/WS2025/DomainController -Default

Member Server

 
Set-OSConfigDesiredConfiguration -Scenario SecurityBaseline/WS2025/MemberServer -Default

Workgroup Member

 
Set-OSConfigDesiredConfiguration -Scenario SecurityBaseline/WS2025/WorkgroupMember -Default

Secured Core

 
Set-OSConfigDesiredConfiguration -Scenario SecuredCore -Default

Defender Antivirus

 
Set-OSConfigDesiredConfiguration -Scenario Defender/Antivirus -Default

 

 

To view compliance from a PowerShell session, run the following command, specifying the appropriate baseline:

Get-OSConfigDesiredConfiguration -Scenario SecurityBaseline/WS2025/MemberServer | ft Name, @{ Name = "Status"; Expression={$_.Compliance.Status} }, @{ Name = "Reason"; Expression={$_.Compliance.Reason} } -AutoSize -Wrap

Whilst this PowerShell output gets the job done, you might find it easier to parse the report by using Windows Admin Center. You can access the security baseline compliance report by connecting to the server you’ve configured using OSConfig by selecting the Security Baseline tab of the Security blade.

 

 

Another feature of OSConfig is drift control. It helps ensure that the system starts and remains in a known good security state. When you turn it on, OSConfig automatically corrects any system changes that deviate from the desired state. OSConfig makes the correction through a refresh task. This task runs every 4 hours by default which you can verify with the Get-OSConfigDriftControl cmdlet.

 

 

You can reset how often drift control runs using the Set-OSConfigDriftControl cmdlet. For example, to set it to 45 minutes run the command:

Set-OSConfigDriftControl -RefreshPeriod 45

Rather than just using the default included baselines, you can also customize baselines to suit your organizational needs. That’s more detail that I want to cover here, but if you want to know more, check out the information available in the GitHub repo associated with OSConfig.

Find out more about OSConfig at the following links:

https://learn.microsoft.com/en-us/windows-server/security/osconfig/osconfig-overview

https://learn.microsoft.com/en-us/windows-server/security/osconfig/osconfig-how-to-configure-security-baselines      

Updated May 21, 2025
Version 3.0
powershell
security
Windows Server

4 Comments

  • box57l's avatar
    box57l
    Copper Contributor
    Jul 10, 2025

    OrinThomas​ can you describe how OSConfig is applied / controlled at scale via Azure Policy / Machine Configuration. https://learn.microsoft.com/en-us/windows-server/security/osconfig/osconfig-overview mentions "It integrates with Azure Policy" but no detail on how. Current scenario is Azure Arc-connected devices, testing via local authority (pwsh) is fine but how does OSConfig security baselines integrate to Azure Policy for an overall compliance view? Or further still how can the OSConfig security baselines be applied via Azure Policy / Machine Configuration?

  • Andreas_Hartig's avatar
    Andreas_Hartig
    Brass Contributor
    May 21, 2025

    Thanks for sharing. OrinThomas​ while it is mentioned in the documentation and by most OSconfig content, I couldn't find a way to create a customized baseline so far. Do you have you a link on how to create a customized baseline?

    • Carlos_Mayol's avatar
      Carlos_Mayol
      Icon for Microsoft rankMicrosoft
      May 21, 2025

      Hello Andreas, Configure security baselines for Windows Server 2025 | Microsoft Learn

      You can customize any setting using -value parameter instead of the "-default" as per setting name, example:  Set-OSConfigDesiredConfiguration -Scenario SecurityBaseline\WS2025\MemberServer -Setting MessageTextUserLogon -Value "Welcome"

      Today, if you want customize settings, the best way it to create a script that applies the default for all the settings and then you customize the ones you need (1 Set line per Setting customization).

      Additionally, while customizing, I recommend checking the compliance status, as a very new concept, we added "ranges" of expected values, you can find them in our documentation, so ideally you will keep the non-default values within "expected range" so we keep you in the Green/Compliance side.

       

      Hope this helps, 

      • Andreas_Hartig's avatar
        Andreas_Hartig
        Brass Contributor
        Jul 14, 2025

        Carlos_Mayol​ thanks for getting back to me. You do recommend a valid approach, but from a customer experiance I would like to have a new baseline created based on the security requirments and a reporting tool for IT-Sec showing the differentiators. Running a massive amount of individual scripts to make settings and the current reporting is not a good customer value delivered.

        In a perfect world.

        1. We want to create our own baseline in Excel
        2. Compare server values with the baseline and get an excel / csv report
        3. Use PowerBi or Reporting Tools to show the real world gaps, how often they do occur on what system / AD OU / OS / region / IP Subnet and from there "fix" the compliance issues.

        Don't get me wrong I am excited on how simple the OSConfig is, but in the current state the tool will hardly be used by customers as we need to develop all the reporting / comparing or wait for a third party to deliver on that.