Security Baseline for Windows Server 2025 (Version 2506)

Microsoft has released the latest security baseline for Windows Server 2025, version 2506, as part of the June 2025 update cycle. This update is available through the Microsoft Security Compliance Toolkit and delivers important refinements to strengthen server security while reducing unnecessary policy overhead.

In this post, we’ll explore what’s new, why it matters, and how you can apply these changes in your environment.

HelpDesk® - The Best Help Desk Service & Ticketing Software

HelpDesk® software is a ticketing system you can use to manage customer communication in one smart place. Start for free. No credit card is required.

HelpDeskHelpDesk

What’s New in Version 2506?

The June release builds on the January 2025 baseline and introduces several key adjustments:

• Deny log on through Remote Desktop Services
  Now allows non-admin local accounts on member servers, while explicitly adding BUILTIN\Guests to both Domain Controllers (DCs) and Member Servers (MSs) for stronger defense-in-depth.
• WDigest Authentication Removed
  Since WDigest is no longer relevant under Windows Server 2025’s default settings, this outdated policy has been dropped.
• Allow Windows Ink Workspace Removed
  Ink Workspace is unnecessary on servers, so removing it reduces clutter in Group Policy Objects (GPOs) and speeds up processing.
• Audit Authorization Policy Change
  Configured to Success on both DCs and MSs, ensuring better visibility into security policy modifications.
• Include Command Line in Process Creation Events
  Enabled by default, providing valuable context for detecting suspicious or malicious activity.
• Control Whether Exclusions Are Visible to Local Users
  Set to Not Configured to avoid policy conflicts and ensure consistency across environments.

Why These Changes Matter

• Improved Remote Access Control
  Restricting RDP access while explicitly denying guest accounts helps secure remote connections without blocking legitimate maintenance needs.
• Streamlined Baseline
  Removing obsolete or irrelevant policies keeps GPOs lighter, more efficient, and easier to manage.
• Stronger Visibility and Auditing
  Enhanced logging for authorization changes and process creation with command-line details gives administrators better forensic capabilities when investigating potential threats.

How to Get the Update

You can download the Windows Server 2025 security baseline (v2506) from the Microsoft Security Compliance Toolkit.

Deployment Tips

1. Test first in a lab environment before applying organization-wide.
2. Customize carefully based on your enterprise requirements.
3. Stay updated, as Microsoft is moving to more frequent baseline updates to keep pace with new threats.

Final Thoughts

The Windows Server 2025 security baseline v2506 delivers meaningful improvements by tightening RDP controls, cleaning up irrelevant policies, and boosting auditing capabilities. These updates make it easier for IT admins to maintain secure, efficient, and compliant server environments.

👉 Ready to strengthen your infrastructure? Download the baseline today and start testing it in your environment.

Source: https://techcommunity.microsoft.com/blog/microsoft-security-baselines/security-baseline-for-windows-server-2025-version-2506/4426431