With Windows Server 2025, Microsoft introduces significant advancements in security baselines and drift control through the Microsoft.OSConfig PowerShell module, ensuring systems remain compliant and secure.

What is OSConfig?

With Windows Server 2025 rollout, Microsoft Microsoft introduces a suite of enhanced security tools, with OSConfig taking center stage. OSConfig serves as a centralized tool to enforce security baselines and monitor configuration drift.

OSConfig is a management tool designed to streamline the application of security baselines and maintain configuration integrity. It supports various deployment scenarios, offering flexibility in server roles, including Domain Controllers, Member Servers, and Workgroup Members. It ensures compliance by enforcing configurations and preventing “drift”—unauthorized or unintentional changes that may compromise security.

Key Features

Preconfigured Security Baselines: OSConfig comes with predefined baselines tailored to specific server roles. These include settings for TLS 1.2 enforcement, SMB 3.0 minimum requirements, and restricted RDP file copy-paste capabilities. You can get the full list of the settings for the security baselines on GitHub

Drift Control: Once applied, configurations remain consistent unless explicitly altered, reducing the risk of security misconfigurations. This is the long awaited feature to address multiple authorities, an orchestrator ensures deterministic configuration in an environment where multiple authorities use various IT admin tools.

For users of cloud or Azure Arc-enabled resources, the precedence order is:

1. Cloud authority (Azure Policy)
2. Local authority (Windows Admin Center and Windows PowerShell)
3. Any other deployment tool

For more details check here.

Integration with Azure Arc: For hybrid environments, OSConfig works seamlessly with Azure Arc, enabling baseline management across on-premises and cloud-connected servers.

Customizability: Administrators can tweak baseline settings to meet specific organizational needs while retaining the drift control feature.

Get started with Microsoft.OSConfig and PowerShell modules

By leveraging the Microsoft.OSConfig PowerShell module, administrators can set up automated compliance checks and enforce configurations across devices, ensuring consistent application of security policies.

To get started, administrators install the Microsoft.OSConfig module using PowerShell:

Install-Module -Name Microsoft.OSConfig -Scope AllUsers -Repository PSGallery -Force

Check for the current version of the Microsoft.OSConfig on the PowerShell Gallery.

The Modules will be installed to C:\Program Files\WindowsPowerShell\Modules\Microsoft.OSConfig\1.2.1

Once installed, OSConfig enables enrollment, allowing the system to begin monitoring and enforcing configurations tailored to specific security scenarios, such as Windows Defender Application Control or Secured Core Baselines.

A security baseline provides a predefined set of policies to ensure servers align with industry best practices. With OSConfig, administrators can:

Apply one of the 3 Windows Server default baselines

Currently we have 3 default options for Domain controller (DC), Member server, Workgroup member

Apply the baseline for the Domain controller (DC):

Set-OSConfigDesiredConfiguration -Scenario SecurityBaseline/WS2025/DomainController -Default

Apply the baseline for the Member server:

Set-OSConfigDesiredConfiguration -Scenario SecurityBaseline/WS2025/MemberServer -Default

Apply the baseline for the Workgroup member:

Set-OSConfigDesiredConfiguration -Scenario SecurityBaseline/WS2025/WorkgroupMember -Default

Additional baselines do exist for Secured Core and Microsoft Defender Antivirus. Check the Windows Server Documentation located here for more options.

Verify compliance manually

Verify the baseline for the Domain controller (DC):

Get-OSConfigDesiredConfiguration -Scenario SecurityBaseline/WS2025/DomainController

Verify the baseline for the Member server:

Get-OSConfigDesiredConfiguration -Scenario SecurityBaseline/WS2025/MemberServer

Verify the baseline for the Workgroup member:

Get-OSConfigDesiredConfiguration -Scenario SecurityBaseline/WS2025/WorkgroupMember

Adjust compliance refresh intervals to suit organizational needs:

Set-OSConfigDriftControl -IntervalMinutes 45

Check the current Config

Get-OSConfigDesiredConfiguration

Create their own Baseline

Check the Microsoft Documentation here to get started. I will cover this in a later blog article, since this is a complex topic to add into this blog article.

The Engine Behind OSConfig

The Declared Configuration Service (dcscvc) plays a vital role in enforcing policies. This service processes configurations and ensures compliance by:

1. Transforming raw configurations into system-compatible formats.
2. Applying validated policies to live systems.
3. Continuously monitoring and correcting drifts.

Practical Benefits

• Automated Compliance: Reduces manual effort in ensuring configuration consistency.
• Quick Drift Recovery: Detects and rectifies deviations from security baselines in real-time.
• Streamlined Audits: Logs changes and compliance activities for comprehensive oversight.

Windows Server 2025’s OSConfig and drift control functionalities showcase Microsoft’s commitment to enhancing server security and operational efficiency. By combining powerful tools with clear workflows, administrators can ensure their environments are both secure and robust against potential misconfigurations.

Overview of all settings

You can download all settings from https://github.com/microsoft/osconfig/blob/main/security/Defender_Antivirus-2411.csv

If you import this csv file to Excel, it should give you a very detailed overview and you can compare differntiators between the 3 server types (DC, member server, workgroup) settings. For me the file did look like this.

Conclusion

OSConfig is currently totally underestimated and not known enough yet (12.2024). It combines an orchestrator and tools to apply baselines to different Server types and combines an orechestrator for Windows Admin Center, Azure Arc, PowerShell, Azure Policy, 3rd Party Options and Azure Automanage machine configuration.

It will help you to establish a consistent security level on your Windows Server and enforce the desired configuration using drift detection.

Additional information

For a deeper dive into implementing OSConfig and understanding its inner workings, visit the detailed OSConfig guide provided by Microsoft on “How to configure the security baselines” and “How to configure App Control for Business“.

To get started testing this features and others you can use my guide to install your homelab environment today and learn here how to use cost efficient hardware.