Deploy OSConfig security baselines locally
OSConfig is a security configuration stack that uses a scenario-based approach to deliver and apply desired security measures for your environment. It provides co-management support for both on-premises and Azure Arc-connected devices. You can use Windows PowerShell or Windows Admin Center to apply the security baselines throughout the device life cycle, starting from the initial deployment process.
Some of the highlights of the security baselines provide the following enforcements:
- Secured-Core: UEFI MAT, Secure Boot, Signed Boot Chain
- Protocols: TLS Enforced 1.2+, SMB 3.0+, Kerberos AES
- Credential protection: LSASS/PPL
- Account and password policies
- Security policies and security options
You can get the full list of the settings for the security baselines on GitHub.
Evaluation guidance
For at-scale operations, use Azure Policy and Azure Automanage Machine Configuration to monitor and see your compliance score.
Important
After applying the security baseline, your system's security setting will change along with default behaviors. Test carefully before applying these changes in production environments.
You'll be asked to change your local administrator password after applying the security baseline for Member server and Workroup member scenarios.
Below you can find a list of more noticeable changes after the baselines are applied:
The local administrator password must be changed. The new password policy must meet the complexity requirements and minimum length of 14-characters. This only applies to local user accounts; when signing in with a domain account, domain requirements prevail for domain accounts.
TLS connections are subject to a minimum of TLS/DTLS 1.2 or higher, which may prevent connections to older systems.
The ability to copy and paste files from RDP sessions is disabled. If you need to use this function, run the following command and then reboot your device:
Set-OSConfigDesiredConfiguration -Scenario SecurityBaseline/WS2025/<ServerRoleBeingApplied> -Name RemoteDesktopServicesDoNotAllowDriveRedirection -Value 0Connections are subject to SMB 3.0 minimum or higher. Connecting to non-windows systems, such as Linux SAMBA, must support SMB 3.0, or adjustments to the baseline are needed.
If you're currently configuring the same settings with two different methods, one being OSConfig, conflicts are expected. Especially with drift control involved as you must remove one of the sources if the parameters are different to prevent the settings from constantly changing between sources.
You might run into SID translation errors in specific domain configurations. It doesn't impact the rest of the security baseline definition and can be ignored.
Prerequisites
Make sure that your device is running Windows Server 2025. OSConfig doesn't support earlier versions of Windows Server.
Install the OSConfig PowerShell module
Before you can apply a security baseline for the first time, you need to install the OSConfig module via an elevated PowerShell window:
Select Start, type PowerShell, hover over Windows PowerShell, and select Run as administrator.
Run the following command to install the OSConfig module:
Install-Module -Name Microsoft.OSConfig -Scope AllUsers -Repository PSGallery -ForceIf you're prompted to install or update the NuGet provider, select Yes.
To verify that the OSConfig module is installed, run the following command:
Get-Module -ListAvailable -Name Microsoft.OSConfig
Manage OSConfig security baselines
Apply the appropriate security baselines, based on the Windows Server role of your device:
- Domain controller (DC)
- Member server
- Workgroup member
The baseline experience is powered by OSConfig. Once applied, your security baseline settings are protected from any drift automatically, which is one of the key features of its security platform.
Note
For Azure Arc-connected devices, you can apply the security baselines before or after connecting. But if the role of your server changes after the connection, you must delete and reapply the assignment to make sure that the machine configuration platform can detect the role change. For more information about deleting an assignment, see Deletion of guest assignments from Azure Policy.
To apply a baseline, verify that the baseline is applied, remove a baseline, or view detailed compliance information for OSConfig in PowerShell, use the commands on the following tabs.
To apply the baseline for a domain-joined device, run the following command:
Set-OSConfigDesiredConfiguration -Scenario SecurityBaseline/WS2025/MemberServer -Default
To apply the baseline for a device that's in a workgroup, run the following command:
Set-OSConfigDesiredConfiguration -Scenario SecurityBaseline/WS2025/WorkgroupMember -Default
To apply the baseline for a device that's configured as the DC, run the following command:
Set-OSConfigDesiredConfiguration -Scenario SecurityBaseline/WS2025/DomainController -Default
To apply the secured-core baseline for a device, run the following command:
Set-OSConfigDesiredConfiguration -Scenario SecuredCore -Default
To apply the Microsoft Defender Antivirus baseline for a device, run the following command:
Set-OSConfigDesiredConfiguration -Scenario Defender/Antivirus -Default
Note
When you apply or remove a security baseline, a restart is required for changes to take effect.
When you customize a security baseline, a restart is required for changes to take effect, depending on which security features you modified.
During the removal process, when security settings are reverted, changing these settings back to their premanaged configuration isn't guaranteed. It depends on the specific settings within the security baseline. This behavior aligns with the capabilities that the Microsoft Intune policies provide. To learn more, see Manage security baseline profiles in Microsoft Intune.
Customize OSConfig security baselines
After you complete the security baseline configuration, you can modify the security settings while maintaining drift control. Customizing the security values allows for more control of your organization's security policies, depending on your environment's specific needs.
To edit the default value of AuditDetailedFileShare from 2 to 3 for your member server, run the following command:
Set-OSConfigDesiredConfiguration -Scenario SecurityBaseline/WS2025/MemberServer -Setting AuditDetailedFileShare -Value 3
To verify that the new value is applied, run the following command:
Get-OSConfigDesiredConfiguration -Scenario SecurityBaseline/WS2025/MemberServer -Setting AuditDetailedFileShare
Note
Depending on which security settings are customized, certain user input is expected. These inputs are:
MessageTextUserLogonMessageTextUserLogonTitleRenameAdministratorAccountRenameGuestAccount
After you provide the necessary input, select the Enter key to proceed.
Provide feedback for OSConfig
If you're blocked or experiencing a work disruption after applying the security baseline, file a bug using the Feedback Hub. To learn more about submitting feedback, see Deeper look at feedback.
Provide us OSConfig security baseline as the feedback title. Under Choose a category, select Windows Server from the drop-down list, then select Management from the secondary drop-down list and proceed with submitting your feedback.