OSConfig is a safety configuration and compliance administration device launched as a PowerShell module to be used with Home windows Server 2025. It lets you implement safety baselines, automate compliance, and forestall configuration drift on Home windows Server 2025 computer systems.
OSConfig has the next necessities:
- Home windows Server 2025 (OSConfig is just not supported on earlier variations)
- PowerShell model 5.1 or greater
- Administrator privileges
OSConfig is accessible as a module from the PowerShell Gallery. You put in it utilizing the next command
Set up-Module -Title Microsoft.OSConfig -Scope AllUsers -Repository PSGallery -Power
If prompted to put in or replace the NuGet supplier, kind Y and press Enter.
You’ll be able to confirm that the module is put in with:
Get-Module -ListAvailable -Title Microsoft.OSConfig
You’ll be able to guarantee that you’ve got an up-to-date model of the module and the baselines by working the next command:
Replace-Module -Title Microsoft.OSConfig
To examine which OSConfig cmdlets can be found, run:
Get-Command -Module Microsoft.OSConfig
Making use of Safety Baselines
OSConfig consists of predefined safety baselines tailor-made for various server roles: Area Controller, Member Server, and Workgroup Member. These baselines implement over 300 safety settings, equivalent to TLS 1.2+, SMB 3.0+, credential protections, and extra.
|
Server Position |
Command |
|
Area Controller |
Set-OSConfigDesiredConfiguration -State of affairs SecurityBaseline/WS2025/DomainController -Default |
|
Member Server |
Set-OSConfigDesiredConfiguration -State of affairs SecurityBaseline/WS2025/MemberServer -Default |
|
Workgroup Member |
Set-OSConfigDesiredConfiguration -State of affairs SecurityBaseline/WS2025/WorkgroupMember -Default |
|
Secured Core |
Set-OSConfigDesiredConfiguration -State of affairs SecuredCore -Default |
|
Defender Antivirus |
Set-OSConfigDesiredConfiguration -State of affairs Defender/Antivirus -Default |
To view compliance from a PowerShell session, run the next command, specifying the suitable baseline:
Get-OSConfigDesiredConfiguration -State of affairs SecurityBaseline/WS2025/MemberServer | ft Title, @{ Title = "Standing"; Expression={$_.Compliance.Standing} }, @{ Title = "Motive"; Expression={$_.Compliance.Motive} } -AutoSize -Wrap
While this PowerShell output will get the job performed, you may discover it simpler to parse the report by utilizing Home windows Admin Middle. You’ll be able to entry the safety baseline compliance report by connecting to the server you’ve configured utilizing OSConfig by choosing the Safety Baseline tab of the Safety blade.
One other characteristic of OSConfig is drift management. It helps be sure that the system begins and stays in a recognized good safety state. Whenever you flip it on, OSConfig robotically corrects any system adjustments that deviate from the specified state. OSConfig makes the correction via a refresh process. This process runs each 4 hours by default which you’ll be able to confirm with the Get-OSConfigDriftControl cmdlet.
You’ll be able to reset how typically drift management runs utilizing the Set-OSConfigDriftControl cmdlet. For instance, to set it to 45 minutes run the command:
Set-OSConfigDriftControl -IntervalMinutes 45
Relatively than simply utilizing the default included baselines, you may also customise baselines to fit your organizational wants. That’s extra element that I need to cowl right here, however if you wish to know extra, try the data out there within the GitHub repo related to OSConfig.
Discover out extra about OSConfig on the following hyperlinks:
https://be taught.microsoft.com/en-us/windows-server/safety/osconfig/osconfig-overview
