Maintaining homogenous security settings across your environment might be challenging. Over time, there can be what’s called a configuration drift where the system deviates from the original security settings. How do you maintain those security settings in Windows Server 2025? One of the tools which Microsoft provides to us, to maintain the desired security state of your servers, is called OSconfig and in this post we’ll explore its possibilities.
The OSconfig is able to automatically maintain and correct any system changes that deviate from the desired state. The tool does this via a refresh task. The Windows Server 2025 baseline includes over 300 security settings to ensure that it meets industry-standard security requirements.
OSConfig can maintain security settings for WS 2025 machines running locally or for Azure Arc connected machines and also for Azure Local (v 23H2). OSconfig integrates with Azure Policy, Microsoft Defender, WAC and Azure Automanage machine configuration, in order to provide monitoring and compliance reporting.
OSConfig has nothing to do with Group Policy Objects (GPO) which are commonly used in IT environments based on Microsoft’s OS while managing systems being part of Microsoft Active Directory (AD) or Entra ID. It’s rather complementary tool which can be applied for isolated cloud servers, isolated machines running in Workgroup or individual systems. But the provided security baselines (or templates) are also for Domain controllers and member servers.
The OSConfig Architecture and configuration flow
The tool consists of some base PowerShell cmdlets, native APIs and scenario definition which defines the desired state config. The configs are basically a group of settings that use a predefined order and dependencies that correspond to subareas.
The flow of configuration is represented on the image below (from Microsoft). Basically, you can use the tool via Windows Admin Center (WAC) Azure Policy or locally via PowerShell.
The Drift Control
One of the main features of OSconfig is probably the drift control allowing you to make sure that your systems start and stay in a known good security state. After turning on, the OSConfig automatically corrects any system changes that deviate from the desired state. OSconfig does the correction via a refresh task.
If the OSconfig is turned off, the refresh task is disabled automatically too. You’re free to use OSconfig or another utility, as long as both aren’t turned ON at the same time.
The main use case is to deploy a recommended security settings to your hosts and VMs and then, during the lifecycle of the OS, you can apply the security baselines by using PowerShell or Windows Admin Center (WAC).
The advantage of using OSConfig:
Allows you to meet Defense Information Systems Agency Security Technical Implementation Guides (DISA STIGs).
Reduces operation expenses via the built-in automatic drift protection
Increases security by disabling legacy protocols
Enforces the desired state via configuration drift detection, reporting, and correction
Installation of OSconfig via PowerShell
A simple line of code allows you to install on a WS2025. The machine needs an internet connection as one of the pre-requis is to deploy NuGet provider.
Install-Module -Name Microsoft.OSConfig -Scope AllUsers -Repository PSGallery -Force
Then to verify that the OSconfig module is installed, run this command:
Get-Module -ListAvailable -Name Microsoft.OSConfig
You can then use one of the pre-defined baselines depending on what your machine shall do. Is it a domain controller, member server (domain joined) or workgroup (isolated system).
From Microsoft:
To apply the baseline for a domain-joined device, run the following command:
Set-OSConfigDesiredConfiguration -Scenario SecurityBaseline/WS2025/MemberServer -DefaultTo apply the baseline for a device that’s in a workgroup, run the following command:
Set-OSConfigDesiredConfiguration -Scenario SecurityBaseline/WS2025/WorkgroupMember -DefaultHere is a screenshot
To apply the baseline for a device that’s configured as the DC, run the following command:
Set-OSConfigDesiredConfiguration -Scenario SecurityBaseline/WS2025/DomainController -DefaultTo apply the secured-core baseline for a device, run the following command:
Set-OSConfigDesiredConfiguration -Scenario SecuredCore -DefaultTo apply the Microsoft Defender Antivirus baseline for a device, run the following command:
Set-OSConfigDesiredConfiguration -Scenario Defender/Antivirus -DefaultCheck more details about how to remove baseline, check compliance or verify on Microsoft’s website here.
When you load Windows Admin Center (WAC) you can see the module, the different templates and the compliance status as this.
When you change the baseline and check, you’ll get diffent view where you can Apply and Maintain the config via the button.
This looks pretty good IMHO. Use WAC for a group of machines connected to it. I think this is the way to go, but WAC is still not finished and cannot be used for an administration of ALL settings. However we can see where Microsoft is heading…..
Note: When you apply or remove a baseline, you must restart for changes to take effect.
Customizations possibilities
You can customize WS2025 security baselines and still maintain the drift control. Check for further details at Microsoft here.
Final Words
Microsoft has released WS 2025 couple of weeks, months ago. The system will certainly have some bugs, updates that will improve and add what’s missing. There is no doubt about it. For now, the security settings and compliance towards DISA STIGs can be achieved via the PowerShell module or via WAC. The GPO templates, apparently, aren’t there just yet.
It’s great to see actually, that a simple PowerShell script can harden and maintain a security baseline over time for your critical systems. In my lab test, the WAC worked, but I had to disable the automatic updates during the installation because I could not connect to my server via the WAC UI. Disabling the automatic updates of the extensions solved the problem. We can see that Microsoft is working on it and that this is something that needs to be finalized so I’d advice to wait for deploying on production systems. In the lab you can test many things, but production is production.
