Microsoft has released June 2025 revision (v2506) of the security baseline package for Windows Server 2025. This update introduces multiple enhancements aimed at bolstering enterprise security, including improvements to account lockout protocols, Local Security Authority (LSA), LAPS, Kerberos authentication, Microsoft Defender Antivirus, Windows Protected Print, Windows Update, and additional features.
The June 2025 Revision (v2506) of baseline package can be downloaded from the Microsoft Security Compliance Toolkit. You can test the recommended Server 2025 configurations within your environments, tailor them to specific needs, and implement them accordingly.
If I recall correctly, the previous baseline package for Server 2025 was released in January 2025. Moving forward, Microsoft says it will update the Windows Server baseline more frequently to address emerging threats, incorporate new Windows features, and respond to community feedback. Meanwhile, consider joining the server insider program and provide your valuable feedback to Microsoft.
Download Windows Server 2025 Security Baseline (v2506)
Visit the Microsoft Security Compliance Toolkit page. Click the Download button.
From the list of files, select Windows Server 2025 Security Baseline – 2506.zip and click the Download button. Choose a folder to save the file. Once downloaded, extract the .zip file into the selected folder. The extracted contents will include both baseline files and documentation detailing the baselines.
What does Security Baseline package include?
The security baseline v2506 update package contains the following components:
- Documentation: Includes new Settings in Windows Server 2025 v2506, MSFT-WS2025-v2506 Policy Rules, etc.
- GPOs: Exported GPOs.
- Scripts: Includes Baseline-ADImport.ps1, Baseline-LocalInstall.ps1, Config files and tools.
- Templates: Contains MSS-legacy.admx and SecGuide.admx files.
- GP Reports: Exported Group policy reports.
List of Changes in Security Baseline v2506
The security baseline v2506 update for Server 2025 introduces several enhancements made since the January 2025 release of the security baseline for Windows Server 2025. These improvements aim to strengthen enterprise security while aligning more closely with the latest standards. The specific changes are outlined in the table below.
| Security Policy | What’s Changed |
|---|---|
| Deny log on through Remote Desktop Services | Allow remote logon for non-admin local accounts on member servers and add “BUILTIN\Guests” to both DC and MS. |
| WDigest Authentication | This policy is removed from Server 2025 baseline package. |
| Allow Windows Ink Workspace | This policy is removed from Server 2025 baseline package. |
| Audit Authorization Policy Change | This policy is set to “Success” for both domain controllers and member servers. |
| Include command line in process creation events | This policy is now enabled on both domain controllers and member servers. |
| Control whether exclusions are visible to local users | The policy “Control whether exclusions are visible to local users” is set to Not Configured in this release. |
New GPO settings in v2506 Security baseline package
The following are the new group policy settings included in the security baseline package for Windows Server 2025. You’ll have to import the ADMX templates for Server 2025 to view and configure the below settings.
- Disabled SMB over QUIC Server Exception List
- Set TLS/SSL security policy for IPP printers
- Enable Energy Saver to Always Be On
- Allowed package family names for non-admin user install
- Set authorized domains for HTTPS authentication in MSIX streaming install
- Force Onlooker Detection
- Force Onlooker Detection Action
- Disable Cocreator
- Disable generative fill
- Disable Image Creator
- Enable enhanced shell experience for RemoteApp
- Enable Windows backup
- Disable Widgets Board
- Disable Widgets On Lock Screen
- Allow Recall to be enabled
- Set a list of apps to be filtered from snapshots for Recall
- Set a list of URIs to be filtered from snapshots for Recall
- Set maximum duration for storing snapshots used by Recall
- Set maximum storage for snapshots used by Recall
- Turn off saving snapshots for use with Recall
- Show notification bell icon
- Turn off abbreviated time and date format
- Disable Click to Do
- Set a list of apps to be filtered from snapshots for Recall
- Set a list of URIs to be filtered from snapshots for Recall
- Set maximum duration for storing snapshots used by Recall
- Set maximum storage for snapshots used by Recall
- Turn off saving snapshots for use with Recall
- Set Copilot Hardware Key
Dear Prajwal
Thank you for your blog – I’m wondering which templates (versions) contain the settings, because I haven’t been able to find them in Server 2025 so far. File Printing.admx is dated 1st April 2025. Do you have any idea?
Thanks and best regards,
Thomas
Not the admx, can you tell me the exact setting that you’re to configure?.