Announcing Windows Server 2025 Security Baseline Preview

This thread has been locked for new comments by a moderator, if you have a new similar issue then please start a new thread.
Microsoft

Announcing Windows Server 2025 Security Baseline Preview 

 

Hello Windows Server Insiders!

Today we are pleased to announce the Windows Server 2025 Security Baseline Preview.  You can enable security right from the start by applying the recommended security posture for your device or VM role through application of a tailored security baseline, with over 350 preconfigured Windows security settings that help you apply and enforce granular security settings that support best practices recommended by Microsoft and Industry standards. We have organized the Windows Server 2025 Security Baseline content into three categories based on your server role:

  • Domain Controller (DC)
  • Member Server
  • Workgroup Member

In addition, you can apply baselines with dedicated security settings specific to:

  • Windows Defender Antivirus (48)​
  • Secured-Core (6)

Main Highlights of the security baseline are the following enforcements:

  • Secured-Core – UEFI MAT, Secure Boot, Signed Boot Chain​
  • Account and password policies​
  • Security Policies and Security Options
  • Protocols: TLS Enforced >1.2+, SMB 3.0+, Kerberos AES, etc​.
  • Credentials Protections (LSASS/PPL)​
  • And many more.

Please review the GitHub repository for what settings comprise of each definition:

https://github.com/microsoft/osconfig/blob/main/security/SecurityBaseline_WindowsServer_2025-2409.cs...

 

Customer Experience:

The customer experience to apply baselines for individual machines, including image customizations are:

  • PowerShell cmdlets
  • Windows Admin Center (WAC)

For at-scale operations, you can apply baseline and monitor using Azure Policy and Azure Automanage Machine Configuration and see your compliance score.

 

The baseline experience is powered by OSConfig - our newly introduced security configuration platform’. Once applied, your baseline settings are protected from any drift automatically, which is one of the key features of the security platform.

 

The WAC, Azure Policy and Azure Automanage Machine Configuration experiences will be released soon to the Windows Insider Program. This mechanism will not work for any earlier version of Windows Server.

1.   Download prerelease modules from the PowerShell Gallery

If you have not previously configured your system to pull modules from the PowerShell Gallery, please do so using the following steps:

a.  Open an elevated PowerShell window (not the x86 version)

b.  Run Install-PackageProvider NuGet, PowerShellGet -Force

c.   Open a new elevated PowerShell window

d.   Run Set-PSRepository -Name PSGallery -InstallationPolicy Trusted

 

2.   Install the OSConfig PowerShell module

      1. Run Install-Module -Name Microsoft.OSConfig -AllowPrerelease -Scope AllUsers -Repository PSGallery -Force
      2. To verify if the OSConfig module is installed, run Get-Module -ListAvailable -Name Microsoft.OSConfig 

3.   Apply the Security Baseline via PowerShell cmdlets

      1. For domain-joined device, run Set-OSConfigDesiredConfiguration -Scenario SecurityBaseline\WS2025\MemberServer -Default
      2. For workgroup device, run Set-OSConfigDesiredConfiguration -Scenario SecurityBaseline\WS2025\WorkgroupMember -Default
      3. For domain controller device, run Set-OSConfigDesiredConfiguration -Scenario SecurityBaseline/WS2025/DomainController -Default
      4. For Secured-core, Run Set-OSConfigDesiredConfiguration -Scenario SecuredCore -Default
      5. For Defender Antivirus, Run Set-OSConfigDesiredConfiguration -Scenario Defender\Antivirus -Default
      6. Restart machine

4.   Customize the Security Baseline via PowerShell cmdlets

Example using AuditDetailedFileShare for Member Server device (where the default value is 2)

      1. Run Set-OSConfigDesiredConfiguration -Scenario SecurityBaseline\WS2025\MemberServer -Name AuditDetailedFileShare -Value 3
      2. Run Get-OSConfigDesiredConfiguration -Scenario SecurityBaseline\WS2025\MemberServer -Name AuditDetailedFileShare
      3. Check that the value is now 3.

5.   View compliance of the Security Baseline via PowerShell cmdlets

      1. Run Get-OSConfigDesiredConfiguration -Scenario SecuredCoreState

      2. Run Get-OSConfigDesiredConfiguration -Scenario SecurityBaseline\WS2025\MemberServer | ft Name, @{ Name = "Status"; Expression={$_.Compliance.Status} }, @{ Name = "Reason"; Expression={$_.Compliance.Reason} } -AutoSize -Wrap

6.   Most Common tasks impacted/Known Issues after applying baseline

Note: (Please read before exercising the scenario! Also, these scripts are for preview only and should not be used in production.)

      1. Password requirements are Complexity and Minimum of 14-character length. This only applies to local user accounts; when signing in with a domain account, domain requirements prevail for domain accounts.

      2. TLS connections are subject to a minimum of TLS/DTLS 1.2 or higher. May prevent connections to older systems.

      3.  

        Copy/Paste of files from RDP sessions is disabled.  If you need to use this function, runSet-OSConfigDesiredConfiguration -Scenario SecurityBaseline\WS2025\[role being applied] -Name RemoteDesktopServicesDoNotAllowDriveRedirection -Value 0 and then reboot.

      4.  

        SMB connections are subject to a minimum of 3.0 or higher (available as of WS2012). Connecting to non-windows systems (like Linux SAMBA) must support SMB 3.0, or adjustments to the baseline are needed.

      5.  

        You may run into a few user rights errors depending on your domain configuration. It does not impact the rest of the security baseline and can be ignored. We are working on fixing it. See MSLearn doc for details.

      6.  

        If you are configuring the same settings with two different tools (one being OSConfig in this case), there will be conflicts, especially with drift control involved. See MSLearn doc for details.

      7. In case you are blocked or experiencing a work disruption after applying the security baseline: 
        • File a bug in feedback hub under Category Windows Server-> Security Configuration Management
      8. You should preview the security baseline only on test systems. While there is a ‘Remove’ command, not all configurations can be reversed.
        • Open an elevated PowerShell window, run Remove-OSConfigDesiredConfiguration -Scenario SecurityBaseline\WS2025\MemberServer  and then reboot.

 

We value your feedback!

Please provide feedback as to what is working and what needs to be improved as your feedback is extremely valued to make the product experience better. Please use Feedback Hub app for Windows Server 2025. Category: Windows Server->Security Configuration Management

 

You can also reach us via email at heseccon@microsoft.com Edge Security Connect.

 

What’s coming?

We will also share a Windows Admin Center, Azure Policy and Azure Automanage Machine Configuration experience, to try out for getting full E2E experience & Application control for Windows Insider Program!!

0 Replies