If you haven’t seen the Windows Server teams presentations from Microsoft Ignite 2024, you check out the recordings & download the presentation deck:
- BRK238: Windows Server 2025: New ways to gain cloud agility and security
Tuesday, November 19 | 9:30 AM – 10:15 AM – 45min - FP118: Bring solutions to life with exciting innovations from Windows Server
Tuesday, November 19 | 10:05 AM – 10:10 AM – 5min
With that, here’s “all the things” about Microsoft Windows Server 2025 from Microsoft Ignite 2024: (Stolen gratuitously from Jeff Woolsey, Program Manager for Windows Server)
- Windows Server 2025 Security Baseline [Preview]
Enable security on Windows Server 2025 right from the start by applying the recommended security posture for your device or VM role by applying a “security baseline” with over 350 preconfigured Windows security settings specifically for Domain Controllers, Member Servers or Workgroup Members.
https://techcommunity.microsoft.com/discussions/windowsserverinsiders/announcing-windows-server-2025-security-baseline-preview/4257686 - OS Config
Apply security configurations based on administrative intent. OS Config consists of base cmdlets, native APIs, and a scenario definition & integrates with Azure Policy, Microsoft Defender, Windows Admin Center, and Azure Automanage machine configuration.
OSConfig enables improved mapping (or even direct conversion) with other preexisting management definitions, including.admxfiles in Group Policy,.moffiles in Windows Management Instrumentation (WMI), and Device Description Framework (DDF) files in the configuration service provider (CSP).
https://learn.microsoft.com/en-us/windows-server/security/osconfig/osconfig-overview - Deploying Security Baselines Locally
OSConfig provides co-management support for both on-premises and Azure Arc-connected devices. You can use Windows PowerShell or Windows Admin Center to apply the security baselines throughout the device life cycle, starting from the initial deployment process.
https://learn.microsoft.com/en-us/windows-server/security/osconfig/osconfig-how-to-configure-security-baselines - Configure App Control for Business by using OSConfig
App Control for Business is a software-based security layer that reduces attack surface by enforcing an explicit list of software that’s allowed to run. Microsoft developed a default policy for Windows Server 2025, which you can implement on the server by using Windows PowerShell cmdlets. App Control implementation is facilitated through the OSConfig security configuration platform and provides two main operation modes:- Audit mode: Allows untrusted code to run while events are recorded.
- Enforcement mode: Disallows untrusted code from running while events are recorded.
https://learn.microsoft.com/en-us/windows-server/security/osconfig/osconfig-how-to-configure-app-control-for-business?tabs=configure%2Cview
- Free Windows Server 2025 Security Advice Book
Windows Server 2025 introduces a suite of new and enhanced security features tailored to tackle modern threats across on-premises, hybrid, and cloud environments. Microsoft has just published a new Windows Server 2025 Security Advice book that you should download and read. For those responsible for Windows Server security in enterprise environments, this document is a technical roadmap for understanding the depth of protection now embedded in Windows Server.
https://techcommunity.microsoft.com/blog/itopstalkblog/free-windows-server-2025-security-advice-book/4287481 - Comparing how “Windows Server 2025 Security Baseline” (WS2025SB) to the “Microsoft Security Compliance Toolkit” (SCT)
It’s a night & day comparison. SCT is great, but we’re using our learnings & your feedback to improve & ease security mgmt.- “Microsoft Security Compliance Toolkit” (SCT) is a set of tools that allows enterprise security administrators to download, analyze, test, edit & store Microsoft-recommended security configuration baselines. SCT enables enterprise security administrators to effectively manage their enterprise’s GPOs.
While SCT helps harden Windows Server security, there was no specific focus on aligning with industry baselines like CIS/STIG. SCT is not used by Microsoft Cloud services like Microsoft 365 for example.
https://www.microsoft.com/en-us/download/details.aspx?id=55319&msockid=0b97a80c197865410296bcc118c26475 - “Windows Server 2025 Security Baseline” (WS2025SB) caters to both GPO and Arc managed systems and the baselines are consistent. This means you can use WS2025SB in distributed, hybrid, multicloud environments.
WS2025SB is >90% compliant with CIS/STIG. This also means it has ~30% more settings, almost 400, when compared to SCT. WS2025SB is used as the basis for Microsoft Cloud Services such as Microsoft 365 and more.
WS2025SB provides tailored out of the box baselines for your server role (domain controller, member server, workgroup member) including hundreds of settings to help meet CIS and STIG industry benchmarks. WS2025SB is compatible with non-domain joined systems.
Q: Does WS2025SB require Azure connectivity? Arc required?
A: No. You can manage WS2025SB locally via PowerShell or Windows Admin Center (WAC). See “Deploy Security Baselines Locally” learn.microsoft.com/en-us/window…
OR you can manage at scale via Azure Policy and Azure Machine Configuration.
If you’re not evaluating Windows Server 2025 already you should be. If you’re a Software Assurance customer, you already own it.
- “Microsoft Security Compliance Toolkit” (SCT) is a set of tools that allows enterprise security administrators to download, analyze, test, edit & store Microsoft-recommended security configuration baselines. SCT enables enterprise security administrators to effectively manage their enterprise’s GPOs.
Kurt Shintaku's Blog 
You must be logged in to post a comment.