This post is about Windows Server 2025 Security Baseline Change Log. Microsoft published Windows Server 2025 security baseline, revision v2506 on June 25, 2025. Microsoft also said Server baselines will be revised more frequently going forward, not just once-per-cycle.
A security baseline is Microsoft’s recommended set of Group Policy and security settings for a given OS version. You can download the Microsoft SCT (security tool kit) which includes the baseline files. You can review, test and customize the baseline before deploying.
This release include changes to account lockout, Local Security Authority, LAPS, Kerberos, Microsoft Defender Antivirus, Windows Protected Print, Windows Update etc. You can test these new features earlier than they are generally available by joining Windows server insider program.
Contents
Download Windows Server 2025 Security Baseline
You can download Windows server 2025 security baseline using the link: Download Microsoft Security Compliance Toolkit 1.0 from Official Microsoft Download Center. Click on the Download button and select Windows Server 2025 Security Baseline – 2025.zip and then click on Download button once again.
After downloading the zip file, extract it into a folder. I have already extracted it to show you the contents of the folder. The extracted folder contains:
- Documentation: This folder contains:
- MSFT-WS2025-v2506.PolicyRules file.
- New Settings in Windows Server 2025 v2506.xlsx
- MS Security Baseline Windows Server 2025 v2506.xlsx
- Announcement.pdf
- GPOs: This folder contains exported baseline GPO backups for DC and Member Servers.
- Scripts: This folder contains Baseline-ADImport.ps1, Baseline-LocalInstall.ps1, config files and Tools folder.
- Templates: This folder contains SecGuide.admx, MSS-Legacy.admx and its corresponding language files in en-US folder.
- GP Reports: Exported Group Policy HTML reports.
Security Baseline v2506 Change Log
Below are the list of changes in Windows Server 2025 v2506 Security baseline.
New GPO settings in Windows Server v2506 Security Baseline
To view the list of GPO settings added or removed in the v2506 baseline, open the file \Documentation\New Settings in Windows Server 2025 v2506.xlsx. This excel sheet provides details on newly added and removed settings, along with additional information such as the ADMX template, registry key location, and other relevant data.
Below GPO settings are added from Windows server 2025 v2506 Security Baseline
- Disabled SMB over QUIC Server Exception List
- Set TLS/SSL security policy for IPP printers
- Enable Energy Saver to Always Be On
- Allowed package family names for non-admin user install
- Set authorized domains for HTTPS authentication in MSIX streaming install
- Force Onlooker Detection
- Force Onlooker Detection Action
- Disable Cocreator
- Disable generative fill
- Disable Image Creator
- Enable enhanced shell experience for RemoteApp
- Enable Windows backup
- Disable Widgets Board
- Disable Widgets On Lock Screen
- Allow Recall to be enabled
- Disable Click to Do
- Set a list of apps to be filtered from snapshots for Recall
- Set a list of URIs to be filtered from snapshots for Recall
- Set maximum duration for storing snapshots used by Recall
- Set maximum storage for snapshots used by Recall
- Turn off saving snapshots for use with Recall
- Show notification bell icon
- Turn off abbreviated time and date format
- Disable Click to Do
- Set a list of apps to be filtered from snapshots for Recall
- Set a list of URIs to be filtered from snapshots for Recall
- Set maximum duration for storing snapshots used by Recall
- Set maximum storage for snapshots used by Recall
- Turn off saving snapshots for use with Recall
- Set Copilot Hardware Key
Below GPO settings are removed from Windows server 2025 v2506 Security Baseline
- Disable caching of the Windows Hello for Business credential after sign-in
- Turn off Saving Snapshots for Windows
