Harden security and build resiliency with Windows Server 2025

Hi, We are working on exp where customers can apply baseline via Azure Policy and we hope to release this by EOY, 2025. So far, we can only monitor compliance via Azure policy.

Yes, we are giving a few months to try it out at no charge, but starting on July 1 it becomes a subscription service for Windows Server 2025 on-premises servers. The hotpatching that we have offered in Azure VMs since 2022 edition will remain free of charge. However, I should note that if you are not subscribing you still get the same security updates (just the reboot frequency changes)

I think the best way to describe it, it’s layers of protection.

UEFI -> DEP -> Secure Boot -> Kernel (App Control for Business) -> ELAM -> Credential Guard -> Smartscreen / Network Protection -> ASR Rules -> Defender Antivirus -> Defender for Endpoint

Depending on App Control for Business design that the customer is using:

🔒 Application Control Design Models (Ranked)

Here are typical WDAC design models, ranked from most secure (but possibly complex) to least secure (but simpler):

1. Default Deny with Trusted Signers Only (Most Secure)

• 🔐 Security: Highest — only explicitly trusted code runs (e.g., Microsoft + IT-signed apps)
• 🧰 Overhead: High — every new app needs manual approval/signing
• ⚙️ Ideal for: High-security environments (e.g., defense, critical infrastructure)

2. Signed Apps Only + Microsoft Recommended Block Rules

• ✔️ Security: Very strong — only signed apps allowed; known bad binaries blocked
• 🧠 Overhead: Moderate — fewer exceptions needed, but signing required for custom apps
• 🤖 Can be combined with Intune auto-deployments
• 📦 Best balance of security and manageability

3. Allow Microsoft + IT-Approved Catalog Apps (Hybrid)

• ✅ Security: Strong — relies on signer trust and curated app catalogs
• 🔄 Overhead: Moderate-Low — allows app updates if signed properly
• 📊 Good for: Enterprises managing both commercial and in-house software

4. Path Rules with Signed Microsoft Core Apps

• ⚠️ Security: Moderate — vulnerable to path tampering and DLL injection if not hardened
• 🛠️ Overhead: Low — easiest to maintain, especially if core apps are in fixed locations
• 🎯 Target: Lighter lockdown or compatibility testing environments

5. Audit Mode with Monitoring (Test Only)

• ❌ Security: None (no enforcement)
• 🧪 Overhead: Low — used for baseline analysis before enforcement
• 📈 Useful for: Building future enforced policies based on real-world app use

🔄 How ASR and WDAC Work Together

1. ✅ "Use advanced protection against ransomware"

• What it does: Blocks processes from making changes to files in user folders unless they're trusted/signed or have good reputation.
• How it fits with WDAC:
• WDAC might allow a signed app to run, but ASR can still block its behavior if it starts encrypting files.
• ASR provides behavioral protection against misuse of legitimate apps (e.g., Office apps with macros).

2. ✅ "Block executable files from running unless they meet a prevalence, age, or trusted list criterion"

• What it does: Uses cloud-based reputation (Microsoft Defender Cloud Protection (aka MAPS)) to determine if a file is likely trustworthy.
• How it fits with WDAC:
• WDAC has Microsoft Intelligent Security Graph (ISG) for runtime signing verification
• This ASR rule acts as a dynamic safety net, especially useful in environments where not all apps are pre-vetted or signed.
• Helps protect against zero-day or just-released malware that isn’t yet blocked by WDAC or antivirus signatures.