OSConfig is a safety configuration and compliance administration instrument launched as a PowerShell module to be used with Home windows Server 2025. It allows you to implement safety baselines, automate compliance, and stop configuration drift on Home windows Server 2025 computer systems.
OSConfig has the next necessities:
- Home windows Server 2025 (OSConfig isn’t supported on earlier variations)
- PowerShell model 5.1 or increased
- Administrator privileges
OSConfig is out there as a module from the PowerShell Gallery. You put in it utilizing the next command
Set up-Module -Identify Microsoft.OSConfig -Scope AllUsers -Repository PSGallery -Drive
If prompted to put in or replace the NuGet supplier, kind Y and press Enter.
You may confirm that the module is put in with:
Get-Module -ListAvailable -Identify Microsoft.OSConfig
You may guarantee that you’ve got an up-to-date model of the module and the baselines by operating the next command:
Replace-Module -Identify Microsoft.OSConfig
To test which OSConfig cmdlets can be found, run:
Get-Command -Module Microsoft.OSConfig
Making use of Safety Baselines
OSConfig consists of predefined safety baselines tailor-made for various server roles: Area Controller, Member Server, and Workgroup Member. These baselines implement over 300 safety settings, corresponding to TLS 1.2+, SMB 3.0+, credential protections, and extra.
|
Server Position |
Command |
|
Area Controller |
Set-OSConfigDesiredConfiguration -Situation SecurityBaseline/WS2025/DomainController -Default |
|
Member Server |
Set-OSConfigDesiredConfiguration -Situation SecurityBaseline/WS2025/MemberServer -Default |
|
Workgroup Member |
Set-OSConfigDesiredConfiguration -Situation SecurityBaseline/WS2025/WorkgroupMember -Default |
|
Secured Core |
Set-OSConfigDesiredConfiguration -Situation SecuredCore -Default |
|
Defender Antivirus |
Set-OSConfigDesiredConfiguration -Situation Defender/Antivirus -Default |
To view compliance from a PowerShell session, run the next command, specifying the suitable baseline:
Get-OSConfigDesiredConfiguration -Situation SecurityBaseline/WS2025/MemberServer | ft Identify, @{ Identify = "Standing"; Expression={$_.Compliance.Standing} }, @{ Identify = "Motive"; Expression={$_.Compliance.Motive} } -AutoSize -Wrap
While this PowerShell output will get the job accomplished, you may discover it simpler to parse the report through the use of Home windows Admin Middle. You may entry the safety baseline compliance report by connecting to the server you’ve configured utilizing OSConfig by choosing the Safety Baseline tab of the Safety blade.
One other function of OSConfig is drift management. It helps be certain that the system begins and stays in a recognized good safety state. Once you flip it on, OSConfig robotically corrects any system modifications that deviate from the specified state. OSConfig makes the correction via a refresh process. This process runs each 4 hours by default which you’ll confirm with the Get-OSConfigDriftControl cmdlet.
You may reset how usually drift management runs utilizing the Set-OSConfigDriftControl cmdlet. For instance, to set it to 45 minutes run the command:
Set-OSConfigDriftControl -RefreshPeriod 45
Moderately than simply utilizing the default included baselines, you too can customise baselines to fit your organizational wants. That’s extra element that I wish to cowl right here, however if you wish to know extra, take a look at the knowledge out there within the GitHub repo related to OSConfig.
Discover out extra about OSConfig on the following hyperlinks:
https://learn.microsoft.com/en-us/windows-server/security/osconfig/osconfig-overview