Using OSConfig to manage Windows Server 2025 security baselines
OSConfig is a security configuration and compliance management tool introduced as a PowerShell module for use with Windows Server 2025. It enables you to enforce security baselines, automate compliance, and prevent configuration drift on Windows Server 2025 computers. OSConfig has the following requirements: Windows Server 2025 (OSConfig is not supported on earlier versions) PowerShell version 5.1 or higher Administrator privileges OSConfig is available as a module from the PowerShell Gallery. You install it using the following command Install-Module -Name Microsoft.OSConfig -Scope AllUsers -Repository PSGallery -Force If prompted to install or update the NuGet provider, type Y and press Enter. You can verify that the module is installed with: Get-Module -ListAvailable -Name Microsoft.OSConfig You can ensure that you have an up-to-date version of the module and the baselines by running the following command: Update-Module -Name Microsoft.OSConfig To check which OSConfig cmdlets are available, run: Get-Command -Module Microsoft.OSConfig Applying Security Baselines OSConfig includes predefined security baselines tailored for different server roles: Domain Controller, Member Server, and Workgroup Member. These baselines enforce over 300 security settings, such as TLS 1.2+, SMB 3.0+, credential protections, and more. Server Role Command Domain Controller Set-OSConfigDesiredConfiguration -Scenario SecurityBaseline/WS2025/DomainController -Default Member Server Set-OSConfigDesiredConfiguration -Scenario SecurityBaseline/WS2025/MemberServer -Default Workgroup Member Set-OSConfigDesiredConfiguration -Scenario SecurityBaseline/WS2025/WorkgroupMember -Default Secured Core Set-OSConfigDesiredConfiguration -Scenario SecuredCore -Default Defender Antivirus Set-OSConfigDesiredConfiguration -Scenario Defender/Antivirus -Default To view compliance from a PowerShell session, run the following command, specifying the appropriate baseline: Get-OSConfigDesiredConfiguration -Scenario SecurityBaseline/WS2025/MemberServer | ft Name, @{ Name = "Status"; Expression={$_.Compliance.Status} }, @{ Name = "Reason"; Expression={$_.Compliance.Reason} } -AutoSize -Wrap Whilst this PowerShell output gets the job done, you might find it easier to parse the report by using Windows Admin Center. You can access the security baseline compliance report by connecting to the server you’ve configured using OSConfig by selecting the Security Baseline tab of the Security blade. Another feature of OSConfig is drift control. It helps ensure that the system starts and remains in a known good security state. When you turn it on, OSConfig automatically corrects any system changes that deviate from the desired state. OSConfig makes the correction through a refresh task. This task runs every 4 hours by default which you can verify with the Get-OSConfigDriftControl cmdlet. You can reset how often drift control runs using the Set-OSConfigDriftControl cmdlet. For example, to set it to 45 minutes run the command: Set-OSConfigDriftControl -RefreshPeriod 45 Rather than just using the default included baselines, you can also customize baselines to suit your organizational needs. That’s more detail that I want to cover here, but if you want to know more, check out the information available in the GitHub repo associated with OSConfig. Find out more about OSConfig at the following links: https://learn.microsoft.com/en-us/windows-server/security/osconfig/osconfig-overview https://learn.microsoft.com/en-us/windows-server/security/osconfig/osconfig-how-to-configure-security-baselinesTrying to figure out how to remove/reverse a TPM bypass from years ago. Can’t remember what I used!
Is there a way to figure out what I used and then remove/reverse whichever TPM bypass from years ago to get Windows 11 onto my PC at launch? I can’t for the life of me remember which method I used. Turns out I do have TPM 2.0 and it just wasn’t enabled in the BIOS, and I want to get 24H2 via Windows Update but it isn’t showing up. Maybe there’s another reason but it isn’t one of the guards, I checked in my registry. Plus I’d like to prevent future issues with updates. Would using Windows Update to reinstall my current version (but keep files and settings) be helpful, or would the bypass still be in place? I saw one person say that 24H2 showed up after doing that, but I don’t know if they had used a bypass or not.
Inaccessible Boot Device After Windows Update
I'm currently stuck at this stage, where Windows Boot Manager is recognized by BIOS, but the system still crashes during boot, resulting in error code 0x00001 after restarting. My primary concern remains to get my system operational again without data loss.
Windows Hello For Business
We are currently migrating to Intune with Windows 11 with Entra ID only and a bit of SCCM for apps. When we try and configure Windows Hello for Business, it seems that our Windows 11 devices are picking up settings for Windows Hello from SCCM. Our SCCM is version 2403, and looking at the enabled features, we do have Windows Hello for Business enabled within SCCM. But Microsoft has deprecated this in SCCM in our version so we are unable to configure this within SCCM. Does anyone have any information on how we can tell SCCM to not configure this please and leave the settings up to Intune? Currently the settings from SCCM teem to override the Intune settings on our devices.Daily mail access problem
This happens on multiple browsers - firefox, chrome and edge, firefox and chrome have various extensions but I never use edge so it has nothing added, it doesn't matter whether I'm logged into the daily mail or not and sometimes this issue doesn't happen at all and I can post comments. Also I have 6 PC's around the house and I have exactly the same issue on all of them. The only common denomenator is my IP address. What on earth is going on, no other websites seem affected. Its been hapening for the last few days. I know many will say its a blessing in disguise but I'd like to get to the bottom of it.
