OSConfig is a new feature in Windows Server 2025 that allows you to configure the security settings recommended by Microsoft. They largely correspond to those of the Security Baseline. Management is done via PowerShell, Windows Admin Center or Azure Policy. OSConfig can also automatically correct deviations.
Microsoft traditionally provides its recommended security settings in the form of exported GPOs that can be imported selectively or in their entirety into your own environment.
This security baseline includes templates for various roles and features, for example for member servers, domain controllers, Defender Antivirus or Credential Guard. However, for Windows Server 2025, it is not yet included in the Security Compliance Toolkit , more than two months after the operating system was released .
GPO templates in the Security Baseline for different roles and features
OSConfig in Windows Server 2025 largely follows this pattern, but is not based on group policies. A PowerShell interface is used for local management, and a separate service checks and corrects possible deviations from the desired settings.
Installing the OSConfig module
The PowerShell module for OSConfig is not included in the operating system and must be added first:
Install-Module -Name Microsoft.OSConfig -Scope AllUsers `
-Repository PSGallery -Force
You can then view the list of commands contained therein:
Get-Command -Module Microsoft.OSConfig
The result is a manageable list of 8 functions and 3 aliases. Four of them are used to configure the drift control, which is responsible for correcting deviations. They can be used to display or change the set interval for the check or to activate or deactivate the service.
Another function displays the metadata of a template, which is referred to here as a scenario .
The actual management of the security settings is handled by the three functions with the noun OSConfigDesiredConfiguration (Get / Set / Remove).
Show Scenarios
To find out which security settings templates are available in OSConfig, enter the following command:
Get-OSConfigMetadata | Format-Table Name, Description -Wrap
View available scenarios in OSConfig
In addition to the templates for member servers and domain controllers known from the Security Baseline, OSConfig also offers templates for AppControl , Secured Core and Workgroup servers. The latter is probably the main target group for OSConfig, because central management exists in AD domains with group policies.
Applying settings of a baseline
While you can adjust the GPOs from the Security Baseline before assigning them to the desired computers, OSConfig usually works the other way around.
There you activate a scenario with all settings and then deselect certain ones if necessary. You could activate all settings individually instead, but this is usually not practical given the large number of them.
Adjustment may often be necessary because applying strict security configuration may cause problems with applications or other systems on the network.
To display the settings contained in a template and the values intended for them, use this command:
Get-OSConfigDesiredConfiguration -Scenario Defender\Antivirus |
select name, Description, @{n="Reason"; e={$_.Compliance.Reason}}, `
@{n="Status"; e={$_.Compliance.Status}} | Format-List
Display Defender Antivirus settings and their recommended values
As you can see from the output of the command, Get-OSConfigDesiredConfiguration is primarily intended to check the status of the desired configuration and display any deviations.
In our example you can see the settings for Defender Antivirus, all of which are NotCompliant because the corresponding baseline has not yet been activated.
Set-OSConfigDesiredConfiguration serves this purpose , here again using Defender Antivirus as an example:
Set-OSConfigDesiredConfiguration -Scenario Defender\Antivirus -Default
The Default switch ensures that all settings from the template are configured. As an alternative to Default , you can specify Setting to set individual settings. However, one of the two parameters must be specified.
To change a specific setting, follow this pattern:
Set-OSConfigDesiredConfiguration -Scenario Defender\Antivirus `
-Setting SubmitSamplesConsent -Value 0
Enable all settings for Defender Antivirus, change SubmitSamplesConsent and view the status of the setting
If you don’t just want to change a setting but also remove it, you can do so with this command:
Remove-OSConfigDesiredConfiguration -Scenario Defender\Antivirus `
-Setting SubmitSamplesConsent
Delete SubmitSamplesConsent setting for Defender Antivirus
This function can also be used to remove the entire baseline:
Remove-OSConfigDesiredConfiguration -Scenario Defender\Antivirus
However, there are some restrictions when changing or deleting settings:
- Applying or removing a baseline requires the server to be rebooted for these actions to take effect;
- Adjusting settings often also requires a restart;
- Deleting a baseline does not guarantee that the previous state will be restored.
OSConfig via Admin Center and Azure Policy
As an alternative to PowerShell, OSConfig can also be managed via the Windows Admin Center (WAC) or via Azure Policy. The latter requires that Windows Server 2025 is connected to the Microsoft cloud via Azure Arc.
The WAC 2410 includes a preview of the Security Extension, which can manage OSConfig settings via the Security Baseline tab . It does not require the PowerShell module on the target system.
Managing OSConfig via the Windows Admin Center
Summary
With OSConfig, Microsoft integrates the security baseline into the operating system. PowerShell, Windows Admin Center and Azure Policy are used as tools for configuring the settings. There is also a service that finds and corrects deviations from the desired settings.
OSConfig essentially does the same as the combination of group policies and the traditional baseline. With its GPOs, servers in a Windows domain can be managed centrally, while OSConfig is primarily a solution for individual computers. Accordingly, it is particularly suitable for workgroup and cloud servers.