Using OSConfig to manage Windows Server 2025 security baselines
OSConfig is a security configuration and compliance management tool introduced as a PowerShell module for use with Windows Server 2025. It enables you to enforce security baselines, automate compliance, and prevent configuration drift on Windows Server 2025 computers. OSConfig has the following requirements: Windows Server 2025 (OSConfig is not supported on earlier versions) PowerShell version 5.1 or higher Administrator privileges OSConfig is available as a module from the PowerShell Gallery. You install it using the following command Install-Module -Name Microsoft.OSConfig -Scope AllUsers -Repository PSGallery -Force If prompted to install or update the NuGet provider, type Y and press Enter. You can verify that the module is installed with: Get-Module -ListAvailable -Name Microsoft.OSConfig You can ensure that you have an up-to-date version of the module and the baselines by running the following command: Update-Module -Name Microsoft.OSConfig To check which OSConfig cmdlets are available, run: Get-Command -Module Microsoft.OSConfig Applying Security Baselines OSConfig includes predefined security baselines tailored for different server roles: Domain Controller, Member Server, and Workgroup Member. These baselines enforce over 300 security settings, such as TLS 1.2+, SMB 3.0+, credential protections, and more. Server Role Command Domain Controller Set-OSConfigDesiredConfiguration -Scenario SecurityBaseline/WS2025/DomainController -Default Member Server Set-OSConfigDesiredConfiguration -Scenario SecurityBaseline/WS2025/MemberServer -Default Workgroup Member Set-OSConfigDesiredConfiguration -Scenario SecurityBaseline/WS2025/WorkgroupMember -Default Secured Core Set-OSConfigDesiredConfiguration -Scenario SecuredCore -Default Defender Antivirus Set-OSConfigDesiredConfiguration -Scenario Defender/Antivirus -Default To view compliance from a PowerShell session, run the following command, specifying the appropriate baseline: Get-OSConfigDesiredConfiguration -Scenario SecurityBaseline/WS2025/MemberServer | ft Name, @{ Name = "Status"; Expression={$_.Compliance.Status} }, @{ Name = "Reason"; Expression={$_.Compliance.Reason} } -AutoSize -Wrap Whilst this PowerShell output gets the job done, you might find it easier to parse the report by using Windows Admin Center. You can access the security baseline compliance report by connecting to the server you’ve configured using OSConfig by selecting the Security Baseline tab of the Security blade. Another feature of OSConfig is drift control. It helps ensure that the system starts and remains in a known good security state. When you turn it on, OSConfig automatically corrects any system changes that deviate from the desired state. OSConfig makes the correction through a refresh task. This task runs every 4 hours by default which you can verify with the Get-OSConfigDriftControl cmdlet. You can reset how often drift control runs using the Set-OSConfigDriftControl cmdlet. For example, to set it to 45 minutes run the command: Set-OSConfigDriftControl -RefreshPeriod 45 Rather than just using the default included baselines, you can also customize baselines to suit your organizational needs. That’s more detail that I want to cover here, but if you want to know more, check out the information available in the GitHub repo associated with OSConfig. Find out more about OSConfig at the following links: https://learn.microsoft.com/en-us/windows-server/security/osconfig/osconfig-overview https://learn.microsoft.com/en-us/windows-server/security/osconfig/osconfig-how-to-configure-security-baselines
Windows 11 facing partitioning errors
Good day, I have recently upgraded my computer to a newer compatible version and i successfully installed Windows 11 on the computer. However the Windows 11 seems to have trouble; even if drivers are included to do correct partitioning. I installed windows on a "SSD" only; created a partition and left my HDD unformatted; following result was that the HDD got installed and labelled "C:" and the NVME SSD to be 'invisible' 'unpopulated' and 'unavailable' but the EFI bootloader is installed on that partition. What followed were Bugchecks when restoring from a sleep status. The Motherboard is of BRAND GIGABYTE of type B850M-D3HP ⚠ BugCheck 0x3B – SYSTEM_SERVICE_EXCEPTION Faulting module: win32kfull.sys, function NtUserRemoveProp+0x9e Process: explorer.exe Cause: Attempted to access invalid memory via rdi (null or corrupted pointer) Most likely scenario: A user-mode call (GUI-related, maybe window or property deletion) triggered kernel-mode access to an invalid pointer. ⚠ BugCheck 0x50 – PAGE_FAULT_IN_NONPAGED_AREA Faulting module: ntkrnlmp.exe, function MiCompleteProtoPteFault+0x56a Process: services.exe Cause: Page fault on a prototype PTE access (likely during memory-mapped section resolution) 🧠 Explanation of MiCompleteProtoPteFault Fault A Prototype PTE is used when sharing pages (like DLLs) between processes. The OS tried resolving a prototype PTE (paging in or committing a section-backed page). Failure suggests: Faulty or unstable driver (especially for memory-mapped IO) Filesystem inconsistencies (corrupt pagefile or memory-mapped regions) Incomplete or invalid disk config (RAID metadata interfering with IO mapping) https://www.gigabyte.com/WebPage/1080/amd800-raid.html I include Determining based on the manual the solution to this problem would be adding a second HDD and second NVMe SSD to configure in RAID. Making RAID setup the requirement for installation of Windows 11 at minimun. The Windows Installation Media requires a driver to be installed Also for your Inquiry; AMD is facing a huge stub-hold and permanent ceasing of effect because of "Vulkan" will redundify 'all applications' due to a missing backlight and might crash 'huge' in the upcoming years. I spent $800 on a new video card to get rid of a 'moiree effect' that is 'ridden' in older computer systems. Greetings
Windows 10/11 Auto installing “LG Monitor App Installer” LG Monitor Support Application Drivers”.
This software is not necessary for the proper function of the basic display and PNP function of the display in windows. The software should be OPTIONAL AND INSTALLABLE BY THE USER NOT FORCED INSTALLED BY WINDOWS UPDATE. This software is considered a PUP. (potentially unwanted program) Im a PC technician and repair expert. If I have to plug in LG monitors into my client’s computers and get force installed PUPS (with drivers and junk that is annoying to uninstall) every time I try to fix a client’s PC I would lose my mind. (I already have) I paid hundreds of dollars for my LG screens just so that this happens; fix your **bleep** Microsoft! Windows never did this before just until some recent feature/security update happened. I know this happens with some devices but for these screens it’s straight up not needed. Since when has anybody needed monitor drivers to use their screen??? NOT GRAPHICS DRIVERS. And it does not even install any monitor driver. It installs some “Software component” that runs a background service to install LG crap. And all that does is allow me to install more LG crap. Just the app from more stupid things. PROPOSED SOLUTION program a GUI interference that prompts the user if they want to install drivers YES OR NO from windows update for a newly connected device. Im sure windows 7 did something like that before rather than silently behind your back; crapping on your system.
