OSConfig is a security configuration and compliance management tool introduced as a PowerShell module for use with Windows Server 2025. It enables you to enforce security baselines, automate compliance, and prevent configuration drift on Windows Server 2025 computers.
OSConfig has the following requirements:
- Windows Server 2025 (OSConfig is not supported on earlier versions)
- PowerShell version 5.1 or higher
- Administrator privileges
OSConfig is available as a module from the PowerShell Gallery. You install it using the following command
Install-Module -Name Microsoft.OSConfig -Scope AllUsers -Repository PSGallery -Force
If prompted to install or update the NuGet provider, type Y and press Enter.
You can verify that the module is installed with:
Get-Module -ListAvailable -Name Microsoft.OSConfig
You can ensure that you have an up-to-date version of the module and the baselines by running the following command:
Update-Module -Name Microsoft.OSConfig
To check which OSConfig cmdlets are available, run:
Get-Command -Module Microsoft.OSConfig
Applying Security Baselines
OSConfig includes predefined security baselines tailored for different server roles: Domain Controller, Member Server, and Workgroup Member. These baselines enforce over 300 security settings, such as TLS 1.2+, SMB 3.0+, credential protections, and more.
|
Server Role |
Command |
|
Domain Controller |
Set-OSConfigDesiredConfiguration -Scenario SecurityBaseline/WS2025/DomainController -Default |
|
Member Server |
Set-OSConfigDesiredConfiguration -Scenario SecurityBaseline/WS2025/MemberServer -Default |
|
Workgroup Member |
Set-OSConfigDesiredConfiguration -Scenario SecurityBaseline/WS2025/WorkgroupMember -Default |
|
Secured Core |
Set-OSConfigDesiredConfiguration -Scenario SecuredCore -Default |
|
Defender Antivirus |
Set-OSConfigDesiredConfiguration -Scenario Defender/Antivirus -Default |
To view compliance from a PowerShell session, run the following command, specifying the appropriate baseline:
Get-OSConfigDesiredConfiguration -Scenario SecurityBaseline/WS2025/MemberServer | ft Name, @{ Name = "Status"; Expression={$_.Compliance.Status} }, @{ Name = "Reason"; Expression={$_.Compliance.Reason} } -AutoSize -Wrap
Whilst this PowerShell output gets the job done, you might find it easier to parse the report by using Windows Admin Center. You can access the security baseline compliance report by connecting to the server you’ve configured using OSConfig by selecting the Security Baseline tab of the Security blade.
Another feature of OSConfig is drift control. It helps ensure that the system starts and remains in a known good security state. When you turn it on, OSConfig automatically corrects any system changes that deviate from the desired state. OSConfig makes the correction through a refresh task. This task runs every 4 hours by default which you can verify with the Get-OSConfigDriftControl cmdlet.
You can reset how often drift control runs using the Set-OSConfigDriftControl cmdlet. For example, to set it to 45 minutes run the command:
Set-OSConfigDriftControl -IntervalMinutes 45
Rather than just using the default included baselines, you can also customize baselines to suit your organizational needs. That’s more detail that I want to cover here, but if you want to know more, check out the information available in the GitHub repo associated with OSConfig.
Find out more about OSConfig at the following links:
https://learn.microsoft.com/en-us/windows-server/security/osconfig/osconfig-overview