Events
Apr 29, 2 PM - Apr 30, 7 PM
Join the ultimate Windows Server virtual event April 29-30 for deep-dive technical sessions and live Q&A with Microsoft engineers.
Sign up nowThis browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
OSConfig is a security configuration stack that uses scenarios to efficiently deliver and apply administrative intent for achieving the desired state of on-premises and Azure Arc-connected devices.
The OSConfig stack consists of base cmdlets, native APIs, and a scenario definition that defines the desired state configuration. The scenario definition is a data-driven description of configurations. The configurations are groups of settings that use name/value pairs with a predefined order and dependencies that correspond to subareas.
OSConfig is commonly released with the Windows Server operating system (OS) to provide an abstraction for local device configuration. Its object model design is data driven, which allows for mapping to various providers in the Windows OS for device configuration. The following diagram describes the OSConfig flow.
Currently, you can use OSConfig to establish security baselines for various Microsoft Edge OSs, such as Windows Server 2025 and Azure Local, version 23H2. It integrates with Azure Policy, Microsoft Defender, Windows Admin Center, and Azure Automanage machine configuration to facilitate monitoring and compliance reporting.
OSConfig enables improved mapping or even direct conversion with other preexisting management definitions. These definitions include .admx
files in Group Policy, .mof
files in Windows Management Instrumentation (WMI), and Device Description Framework (DDF) files in the configuration service provider (CSP).
One of the main features of OSConfig is drift control. It helps ensure that the system starts and remains in a known good security state. When you turn it on, OSConfig automatically corrects any system changes that deviate from the desired state. OSConfig makes the correction through a refresh task.
When you turn off the feature, the refresh task is also disabled. Users can then use other tools, with or without OSConfig, to modify the system. Each management tool can serve various purposes and be used by different actors, so multiple authorities can manage the same set of device settings. For instance, authorities can use Azure Policy for cloud or Azure Arc-enabled resources at scale, whereas they can use Windows Admin Center for local management.
To address multiple authorities, an orchestrator ensures deterministic configuration in an environment where multiple authorities use various IT admin tools. Under this model, each authority is assigned a precedence order. This precedence order doesn't just apply from a configuration perspective. It also ensures that drift control is allowed per authority and even per scenario document.
For users of cloud or Azure Arc-enabled resources, the precedence order is:
With Windows Server, you can prioritize security from the outset by deploying a recommended security posture to your devices and virtual machines. Throughout the device life cycle, you can apply these security baselines by using PowerShell or Windows Admin Center.
Applying the OSConfig security baselines in your environment:
OSConfig is a single platform that:
Events
Apr 29, 2 PM - Apr 30, 7 PM
Join the ultimate Windows Server virtual event April 29-30 for deep-dive technical sessions and live Q&A with Microsoft engineers.
Sign up nowTraining
Module
Perform post-installation configuration of Windows Server - Training
Perform post-installation configuration of Windows Server
Certification
Microsoft Certified: Security Operations Analyst Associate - Certifications
Investigate, search for, and mitigate threats using Microsoft Sentinel, Microsoft Defender for Cloud, and Microsoft 365 Defender.
Documentation
Configure security baselines for Windows Server 2025
Learn how to deploy security baselines using OSConfig to enforce granular security settings to better protect and harden your Windows Server 2025 environment.
Configure App Control policies in Windows Server
Learn how to configure App Control for Business through OSConfig PowerShell commands to harden security by implementing custom security policies.
Vision for Project OSConfig, and links to OSConfig for IoT