OSConfig is a safety configuration and compliance administration software launched as a PowerShell module to be used with Home windows Server 2025. It allows you to implement safety baselines, automate compliance, and forestall configuration drift on Home windows Server 2025 computer systems.
OSConfig has the next necessities:
- Home windows Server 2025 (OSConfig shouldn’t be supported on earlier variations)
- PowerShell model 5.1 or increased
- Administrator privileges
OSConfig is offered as a module from the PowerShell Gallery. You put in it utilizing the next command
Set up-Module -Title Microsoft.OSConfig -Scope AllUsers -Repository PSGallery -Drive
If prompted to put in or replace the NuGet supplier, sort Y and press Enter.
You’ll be able to confirm that the module is put in with:
Get-Module -ListAvailable -Title Microsoft.OSConfig
You’ll be able to guarantee that you’ve an up-to-date model of the module and the baselines by operating the next command:
Replace-Module -Title Microsoft.OSConfig
To examine which OSConfig cmdlets can be found, run:
Get-Command -Module Microsoft.OSConfig
Making use of Safety Baselines
OSConfig contains predefined safety baselines tailor-made for various server roles: Area Controller, Member Server, and Workgroup Member. These baselines implement over 300 safety settings, akin to TLS 1.2+, SMB 3.0+, credential protections, and extra.
|
Server Position |
Command |
|
Area Controller |
Set-OSConfigDesiredConfiguration -Situation SecurityBaseline/WS2025/DomainController -Default |
|
Member Server |
Set-OSConfigDesiredConfiguration -Situation SecurityBaseline/WS2025/MemberServer -Default |
|
Workgroup Member |
Set-OSConfigDesiredConfiguration -Situation SecurityBaseline/WS2025/WorkgroupMember -Default |
|
Secured Core |
Set-OSConfigDesiredConfiguration -Situation SecuredCore -Default |
|
Defender Antivirus |
Set-OSConfigDesiredConfiguration -Situation Defender/Antivirus -Default |
To view compliance from a PowerShell session, run the next command, specifying the suitable baseline:
Get-OSConfigDesiredConfiguration -Situation SecurityBaseline/WS2025/MemberServer | ft Title, @{ Title = "Standing"; Expression={$_.Compliance.Standing} }, @{ Title = "Motive"; Expression={$_.Compliance.Motive} } -AutoSize -Wrap
While this PowerShell output will get the job achieved, you would possibly discover it simpler to parse the report through the use of Home windows Admin Heart. You’ll be able to entry the safety baseline compliance report by connecting to the server you’ve configured utilizing OSConfig by deciding on the Safety Baseline tab of the Safety blade.
One other function of OSConfig is drift management. It helps be sure that the system begins and stays in a recognized good safety state. Whenever you flip it on, OSConfig mechanically corrects any system modifications that deviate from the specified state. OSConfig makes the correction via a refresh activity. This activity runs each 4 hours by default which you’ll confirm with the Get-OSConfigDriftControl cmdlet.
You’ll be able to reset how typically drift management runs utilizing the Set-OSConfigDriftControl cmdlet. For instance, to set it to 45 minutes run the command:
Set-OSConfigDriftControl -RefreshPeriod 45
Somewhat than simply utilizing the default included baselines, you may also customise baselines to fit your organizational wants. That’s extra element that I wish to cowl right here, however if you wish to know extra, take a look at the knowledge accessible within the GitHub repo related to OSConfig.
Discover out extra about OSConfig on the following hyperlinks:
https://be taught.microsoft.com/en-us/windows-server/safety/osconfig/osconfig-overview
