Windows Server 2025 Security Baseline Change Log

Photo of author
Jatin Makhija
0

This post is about Windows Server 2025 Security Baseline Change Log. Microsoft published Windows Server 2025 security baseline, revision v2506 on June 25, 2025. Microsoft also said Server baselines will be revised more frequently going forward, not just once-per-cycle.

A security baseline is Microsoft’s recommended set of Group Policy and security settings for a given OS version. You can download the Microsoft SCT (security tool kit) which includes the baseline files. You can review, test and customize the baseline before deploying.

This release include changes to account lockout, Local Security Authority, LAPS, Kerberos, Microsoft Defender Antivirus, Windows Protected Print, Windows Update etc. You can test these new features earlier than they are generally available by joining Windows server insider program.

Download Windows Server 2025 Security Baseline

You can download Windows server 2025 security baseline using the link: Download Microsoft Security Compliance Toolkit 1.0 from Official Microsoft Download Center. Click on the Download button and select Windows Server 2025 Security Baseline – 2025.zip and then click on Download button once again.

Download Windows Server 2025 Security Baseline

After downloading the zip file, extract it into a folder. I have already extracted it to show you the contents of the folder. The extracted folder contains:

  • Documentation: This folder contains:
    • MSFT-WS2025-v2506.PolicyRules file.
    • New Settings in Windows Server 2025 v2506.xlsx
    • MS Security Baseline Windows Server 2025 v2506.xlsx
    • Announcement.pdf
  • GPOs: This folder contains exported baseline GPO backups for DC and Member Servers.
  • Scripts: This folder contains Baseline-ADImport.ps1, Baseline-LocalInstall.ps1, config files and Tools folder.
  • Templates: This folder contains SecGuide.admx, MSS-Legacy.admx and its corresponding language files in en-US folder.
  • GP Reports: Exported Group Policy HTML reports.
Windows Server 2025 Security Baseline folder contents

Security Baseline v2506 Change Log

Below are the list of changes in Windows Server 2025 v2506 Security baseline.

Policy / AreaChange in v2506Applies toNotes
Deny log on through Remote Desktop Services (SeDenyRemoteInteractiveLogonRight)On Member Servers switch from SID S-1-5-113 (all local accounts) to S-1-5-114 (local account that is also Administrator), and explicitly add BUILTIN\Guests to the deny list on both DC and MS.DC and Member ServersKeeps local admin accounts blocked from RDP while allowing non-admin local accounts for recovery. Guests are denied as defense in depth.
WDigest AuthenticationRemoved from the baseline.AllPolicy is deprecated for Server 2025, so explicit enforcement is no longer needed.
Allow Windows Ink WorkspaceRemoved from the baseline.AllClient-only setting, not applicable to Windows Server.
Audit: Authorization Policy ChangeSet to Success.DC and Member ServersAdds low-volume, high-value audit visibility for changes to user rights and audit policy.
Audit: Include command line in process creation eventsEnabled.DC and Member ServersCaptures command-line parameters for process start events to improve detection and investigation.
Microsoft Defender AV: Control whether exclusions are visible to local usersSet to Not Configured.AllParent policy already governs behavior for local admins, so this child setting is redundant.

New GPO settings in Windows Server v2506 Security Baseline

To view the list of GPO settings added or removed in the v2506 baseline, open the file \Documentation\New Settings in Windows Server 2025 v2506.xlsx. This excel sheet provides details on newly added and removed settings, along with additional information such as the ADMX template, registry key location, and other relevant data.

New GPO settings in Windows Server v2506 Security Baseline

Below GPO settings are added from Windows server 2025 v2506 Security Baseline

  • Disabled SMB over QUIC Server Exception List
  • Set TLS/SSL security policy for IPP printers
  • Enable Energy Saver to Always Be On
  • Allowed package family names for non-admin user install
  • Set authorized domains for HTTPS authentication in MSIX streaming install
  • Force Onlooker Detection
  • Force Onlooker Detection Action
  • Disable Cocreator
  • Disable generative fill
  • Disable Image Creator
  • Enable enhanced shell experience for RemoteApp
  • Enable Windows backup
  • Disable Widgets Board
  • Disable Widgets On Lock Screen
  • Allow Recall to be enabled
  • Disable Click to Do
  • Set a list of apps to be filtered from snapshots for Recall
  • Set a list of URIs to be filtered from snapshots for Recall
  • Set maximum duration for storing snapshots used by Recall
  • Set maximum storage for snapshots used by Recall
  • Turn off saving snapshots for use with Recall
  • Show notification bell icon
  • Turn off abbreviated time and date format
  • Disable Click to Do
  • Set a list of apps to be filtered from snapshots for Recall
  • Set a list of URIs to be filtered from snapshots for Recall
  • Set maximum duration for storing snapshots used by Recall
  • Set maximum storage for snapshots used by Recall
  • Turn off saving snapshots for use with Recall
  • Set Copilot Hardware Key

Below GPO settings are removed from Windows server 2025 v2506 Security Baseline

  • Disable caching of the Windows Hello for Business credential after sign-in
  • Turn off Saving Snapshots for Windows

Leave a Comment

Step-by-Step Guides: Setup /Troubleshooting/Configuring Solutions for Intune, Microsoft 365, Windows 365, PowerShell, Windows, Azure, and other Cloud Technologies.

About the author
Contact Us
Privacy Policies
Comment Policies
Cookie Policies

Let's Connect!