Windows Server 2025

New OSConfig PowerShell Security Tool in Windows Server 2025

Learn about OSConfig a Windows Server 2025 tool for managing system settings, updates, and security configurations on Windows devices.
Brandon Lee2 weeks agoLast Updated: October 2, 2024
4 minutes read
New osconfig powershell security tool
New osconfig powershell security tool

In looking at Windows Server 2025 and security configuration settings, there is a new tool that Microsoft has introduced called OSConfig. In case you haven’t heard of it, this blog post is for you! We will take a look at this new OSConfig PowerShell security tool in Windows Server 2025 what OSConfig is exactly, how you install it, and how you use it.

Table of contents

What is the OSConfig utility?

The OSConfig utility is a command line utility for managing OS system settings on Windows devices in enterprise environment. With it, admins can automate and control various things, like system configurations, updates, security settings, and other policy settings like compliance.

You can use it to manage things in cloud environments, Azure, as well as integrate with other management tools. This is a great way to set up configs at scale, system updates, and monitor compliance with policies.

Install OSConfig

There are a few commands that we need to run to get OSConfig installed. I am running this on a Windows Server 2025 preview build in the lab environment. 

Install-PackageProvider NuGet, PowerShellGet -Force
Install nuget and powershellget
Install nuget and powershellget

Then run:

Set-PSRepository -Name PSGallery -InstallationPolicy Trusted
Setting psrepository as trusted
Setting psrepository as trusted

To install it:

Install-Module -Name Microsoft.OSConfig -AllowPrerelease -Scope AllUsers -Repository PSGallery -Force
Installing osconfig in windows server 2025
Installing osconfig in windows server 2025

You can verify it was installed with:

Get-Module -ListAvailable -Name Microsoft.OSConfig
Verifying osconfig was installed successfully
Verifying osconfig was installed successfully

Using it to apply security baselines

One of the really neat things we can do with the OSConfig utility is apply security baselines using the PowerShell cmdlets. Take a look at the example commands:

For a domain-joined device

Set-OSConfigDesiredConfiguration -Scenario SecurityBaseline\WS2025\MemberServer -Default

For a workgroup device:

Set-OSConfigDesiredConfiguration -Scenario SecurityBaseline\WS2025\WorkgroupMember -Default
Beginning applying the security baseline using osconfig
Beginning applying the security baseline using osconfig
Settings processed as part of osconfig
Settings processed as part of osconfig

A domain controller:

Set-OSConfigDesiredConfiguration -Scenario SecurityBaseline/WS2025/DomainController -Default

For secured-core:

Set-OSConfigDesiredConfiguration -Scenario SecuredCore -Default

For Defender Antivirus:

Set-OSConfigDesiredConfiguration -Scenario Defender\Antivirus -Default

Customizing security baseline settings

One of the useful things you can do with the OSConfig utility is customize security baselines using PowerShell cmdlets. Hereโ€™s how you can customize and check compliance for specific settings:

For customizing AuditDetailedFileShare on a Member Server (where the default value is 2):

Set-OSConfigDesiredConfiguration -Scenario SecurityBaseline\WS2025\MemberServer -Name AuditDetailedFileShare -Value 3

To verify the change:

Get-OSConfigDesiredConfiguration -Scenario SecurityBaseline\WS2025\MemberServer -Name AuditDetailedFileShare

Check that the value has now been set to 3.

For viewing the compliance status of the Security Baseline via PowerShell cmdlets, run the following commands:

Get-OSConfigDesiredConfiguration -Scenario SecuredCoreState

To get a more detailed compliance report for a Member Server:

Get-OSConfigDesiredConfiguration -Scenario SecurityBaseline\WS2025\MemberServer | ft Name

OSConfig Drift Control

OSConfig helps to maintain a desired state by continuously monitoring and then remediating settings that may have changed or drifted compared to the settings in the baseline.

  1. Set Desired Configuration: You first need to apply the desired configuration for a specific scenario using the Set-OSConfigDesiredConfiguration cmdlet. Set-OSConfigDesiredConfiguration -Scenario SecurityBaseline\WS2025\MemberServer -Name <SettingName> -Value <DesiredValue>
  2. Continuous Monitoring: OSConfig automatically enables drift control for scenarios where it is configured. The OSConfig tool checks whether the current configuration matches the desired configuration you have applied. If it detects drift, OSConfig will try to bring the configuration back to the intended state.
  3. Check Compliance/Drift Status: You can view the current compliance stance (whether drift has occurred), you can use the Get-OSConfigDesiredConfiguration cmdlet, which will show you the compliance status and any reasons for non-compliance (drift). Get-OSConfigDesiredConfiguration -Scenario SecurityBaseline\WS2025\MemberServer | ft Name, @{ Name = "Status"; Expression={$_.Compliance.Status} }, @{ Name = "Reason"; Expression={$_.Compliance.Reason} } -AutoSize -Wrap
  4. Remediation: If drift happens, OSConfig will attempt to automatically remediate it by reapplying the desired configuration. However, in some cases where this may not be possible, you may need to manually enforce the configuration by running the Set-OSConfigDesiredConfiguration command again.

Just so you know, drift control is implicitly enabled once a desired configuration is applied. You can monitor drift by regularly checking compliance, and OSConfig ensures that any deviations from the baseline are detected and corrected to maintain the intended security posture.

Common Tasks Impacted and Known Issues After Applying the Baseline

  • Password Requirements: Local user accounts must have a minimum of 14 characters with password complexity enforced. For domain accounts, domain-specific password policies will apply.
  • TLS Connections: Only TLS/DTLS 1.2 or higher is supported, which may block connections to older systems that do not support these protocols.
  • Copy/Paste in RDP Sessions: Copy/paste functionality in Remote Desktop Protocol (RDP) sessions is disabled by default. You can turn this back on, run the following command in an elevated PowerShell session: codeSet-OSConfigDesiredConfiguration -Scenario SecurityBaseline\WS2025\[role being applied] -Name RemoteDesktopServicesDoNotAllowDriveRedirection -Value 0 After running the command, you will need to reboot.
  • SMB Connections: SMB 3.0 or higher is required for connections (available since Windows Server 2012). If connecting to non-Windows systems like Linux SAMBA, you will need to make sure they support SMB 3.0, or adjust the baseline settings accordingly.
  • User Rights Errors: You may run into user rights assignment errors based on your domain configuration. These do not have an impact on the overall security baseline and they can be safely ignored.
  • Configuration Conflicts: If you’re configuring the same settings with multiple tools (including OSConfig), conflicts may occur. So you will need to keep this in mind, especially with drift control enabled.

If you have issues after using OSConfig and applying a security baseline:

  • Test the security baseline only on non-production systems. While there is a โ€˜Removeโ€™ command, not all settings can be reverted.
  • To remove the applied baseline, open an elevated PowerShell window and run: Remove-OSConfigDesiredConfiguration -Scenario SecurityBaseline\WS2025\MemberServer Then, reboot the system.

Wrapping up

The new OSConfig PowerShell security tool in Windows Server 2025 is a great way to have desired state on your servers and have them automatically conform to a specific compliance stance. It will automatically detect drift and attempt to remediate the drift that is detected which is a great way to keep servers secure and in compliance. This is also a great way to have security and compliance at scale if you need to roll out these settings to many Windows Servers.

Brandon Lee2 weeks agoLast Updated: October 2, 2024
4 minutes read

Subscribe to VirtualizationHowto via Email ๐Ÿ””

Enter your email address to subscribe to this blog and receive notifications of new posts by email.



Photo of Brandon Lee

Brandon Lee

Brandon Lee is the Senior Writer, Engineer and owner at Virtualizationhowto.com, and a 7-time VMware vExpert, with over two decades of experience in Information Technology. Having worked for numerous Fortune 500 companies as well as in various industries, He has extensive experience in various IT segments and is a strong advocate for open source technologies. Brandon holds many industry certifications, loves the outdoors and spending time with family. Also, he goes through the effort of testing and troubleshooting issues, so you don't have to.

Related Articles

Windows server 2025

Windows Server 2025: Initial Glimpse with New Domain Functional Level

September 19, 2023
Windows server 2025

Windows Server 2025 Preview Download and Install

January 29, 2024
Windows server 2025 vs windows server 2022

Windows Server 2025 vs Windows Server 2022

March 26, 2024
Windows server 2025 active directory

Windows Server 2025 Active Directory New Features

March 29, 2024

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

© Copyright 2024, All Rights Reserved  | VirtualizationHowto.com