Windows Server 2025 OS security for IT and security pros

Delegated Managed Service Account (upcoming Windows Server 2025 feature) can be used to supersede existing service accounts and upgrade them to using machine bound identities instead of passwords.

Olaf_Engelke some thoughts to complement your good thoughts.
https://techcommunity.microsoft.com/t5/windows-server-events/an-ounce-of-prevention-is-worth-a-pound-of-detection/ec-p/4100172#M809

For now, you can only migrate traditional service accounts to DMSA (Delegated Managed Service Account). Migrating MSA (managed service account) and gMSA (group managed service account) to DMSA are not supported yet. For DMSA, both the domain controller and the client need to be based on Windows Server 2025.

I'll list a few definitions here, and if that triggers follow up questions please feel free:

Microsoft WS2025 security baseline: A set of recommended settings for WS2025, developed by the WS2025 security team, inspired by new threats and by prior art including WS2022 SCT baseline, CIS guidance, etc.

Microsoft.OSConfig powershell module: A new PowerShell module from Microsoft which can be used to instruct the OS to apply and sustain specific security postures and features, including the Microsoft WS2025 security baseline.

Azure Machine Configuration: Previously/also known as Guest Configuration, GuestConfig, and Automanage Machine Configuration-- Azure Machine Configuration is a service which (working together with Azure Policy) can configure settings at scale, including various baselines.

Azure Compute Security Baseline: Also known as GuestConfig Security Baseline, ACSB for Windows is what gets applied today when you use the built-in Azure policy for security baselines on Windows (all versions). Note that ACSB includes some conditional logic to handle different OS versions.

Q: Does the Windows baseline (as applied to a Server 2025 machine) via Azure Policy and Machine Configurattion match the Microsoft WS2025 security baseline (as applied by Microsoft.OSConfig PowerShell)?

A: They are very similar, and we are working to get them 100% aligned.

The idea is that you should be able to use PowerShell early, such as during image customization, to ensure systems are protected before they ever hit a network, and then use Azure Policy with Machine Configuration (specifically the Windows baseline there) to audit and sustain that over time.

The goal with DMSA is to get rid of using passwords with service accounts. More often than not, those accounts use weak passwords, which are often reused across multiple accounts, and often those passwords do not get rotated. Such service accounts are attractive targets for attackers. With, DMSA (delegated managed service account), service accounts are bound to the machine identity and thus do not use passwords. Further, it is easy to upgrade existing service accounts to DMSA.