While at the Microsoft MVP summit, one of the MVPs mentioned the Microsoft.OSConfig module. I haven’t used it before, and I like how it works and how the product team works with the Desired State Config team on this! In this blog post, I will show you how it works.
- What is Microsoft.OSConfig?
- Prerequisites
- Installing the Microsoft.OSCOnfig Module
- Using the Microsoft.OSConfig Module
- What Security Baselines are available?
- Verify against a Security Baseline
- Securing your server using a Security Baseline
- Changing a Security Baseline Setting
- Reverting a Security Baseline
- Wrapping up
What is Microsoft.OSConfig?
“OSConfig is a security configuration stack that uses scenarios to efficiently deliver and apply administrative intent for achieving the desired state of on-premises and Azure Arc-connected devices.
The OSConfig stack consists of base cmdlets, native APIs, and a scenario definition that defines the desired state configuration. The scenario definition is a data-driven description of configurations. The configurations are groups of settings that use name/value pairs with a predefined order and dependencies that correspond to subareas.
OSConfig is commonly released with the Windows Server operating system (OS) to provide an abstraction for local device configuration. Its object model design is data driven, which allows for mapping to various providers in the Windows OS for device configuration. The following diagram describes the OSConfig flow.
Currently, with OSConfig, you can establish security baselines for various Microsoft OSs, including Windows Server 2025 and Azure Local, version 23H2. It integrates with Azure Policy, Microsoft Defender, Windows Admin Center, and Azure Automanage machine configuration to facilitate monitoring and compliance reporting.
OSConfig enables improved mapping or even direct conversion with other preexisting management definitions. These definitions include .admx files in Group Policy, .mof files in Windows Management Instrumentation (WMI), and Device Description Framework (DDF) files in the configuration service provider (CSP).”
Source: https://learn.microsoft.com/en-us/windows-server/security/osconfig/osconfig-overview
Prerequisites
Your device must be running Windows Server 2025. OSConfig doesn’t support earlier versions of Windows Server.
Installing the Microsoft.OSCOnfig Module
To install the PowerShell module on your Windows Server 2025 system, you can run the following:
Install-Module -Name Microsoft.OSConfig -Scope AllUsers -Repository PSGallery -Force
After installation, the following cmdlets are available:
Using the Microsoft.OSConfig Module
What Security Baselines are available?
Several pre-defined security baselines are available, and their settings can be found in CSV files here: https://github.com/microsoft/osconfig/tree/main/security.
The “Get-OSConfigDesiredConfiguration -Scenario” gives these options that you can use:
(Notice there are 2022 baselines, but the Microsoft Learn page says Server 2025 is required.)
Verify against a Security Baseline
In this example, because I’m running this in my Windows Server 2025 Member Server (Which is not part of an Active Directory Domain) in my lab environment, I used this command line to validate my server against the SecurityBaseline/WS2025/WorkgroupMember Baseline: (Check https://learn.microsoft.com/en-us/windows-server/security/osconfig/osconfig-how-to-configure-security-baselines?tabs=online%2Cverify#manage-windows-server-2025-security-baselines for more examples)
Get-OSConfigDesiredConfiguration -Scenario SecurityBaseline/WS2025/WorkgroupMember
This resulted in an output like this:
It’s a pretty long list of checks, 294 in total, and I checked how many checks returned NotCompliant by running:
(Get-OSConfigDesiredConfiguration -Scenario SecurityBaseline/WS2025/WorkgroupMember | Where-object Compliance -Match 'NotCompliant').count
184 settings were not compliant; that’s a lot. 🙁 You can get a good overview by running:
Get-OSConfigDesiredConfiguration -Scenario SecurityBaseline/WS2025/WorkgroupMember | ft Name, @{ Name = "Status"; Expression={$_.Compliance.Status} }, @{ Name = "Reason"; Expression={$_.Compliance.Reason} } -AutoSize -Wrap
Securing your server using a Security Baseline
By running the following command, you can apply the SecurityBaseline/WS2025/WorkgroupMember to your server:
Set-OSConfigDesiredConfiguration -Scenario SecurityBaseline/WS2025/WorkgroupMember -Default
Running that command will look like this:
After rebooting, I was prompted to change my password immediately, so I knew something had changed. 🙂
Server Manager prompted me instead of starting in the background:
Rerunning the command to verify how many items were NotCompliant returned four:
These items were:
That’s correct because I didn’t configure any logon banner, and there is no GPO in place (Because it is a Workgroup server) for renaming the Administrator and Guest Account. 🙂 But that’s not bad; from 220 non-compliant settings to just 4, it’s a big step!
Changing a Security Baseline Setting
Because so many security settings were applied, you might want to change one setting but keep the Configuration Drift Control active to revert any other changes. This might be because you can’t connect to something anymore, an application on the server might not start, etc. To do this, you can rerun this to see all the settings and filter on them using Out-Gridview:
Get-OSConfigDesiredConfiguration -Scenario SecurityBaseline/WS2025/WorkgroupMember | Out-GridView
In the example below, I filtered for the last sign-in setting (Because I had to enter the user account after applying the Security Baseline and rebooting):
So, now that I know what the setting is called, I can change it to using:
Set-OSConfigDesiredConfiguration -Scenario SecurityBaseline/WS2025/WorkgroupMember -Setting DoNotDisplayLastSignedIn -Value 0
Which looks like this after running the command:
After reboot, it was changed: (No more prompt to enter the user name, just the password which is acceptable for my lab environment)
Reverting a Security Baseline
If you run into too many issues or want to reset to the default behavior of the system, you can run the following:
Remove-OSConfigDesiredConfiguration -Scenario SecurityBaseline/WS2025/WorkgroupMember
This will look like this:
It will not mention that a reboot is required, but it will show the version behind it (2504.0) so you know what version of the Security Baseline was removed.
Wrapping up
That was an introduction to Microsoft’s OSConfig PowerShell Module. I like its concept and how it works. (I remember the Secedit days: https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/secedit, pdf.) Have a lovely weekend!