The new security baseline strengthens Windows Server 2025 with tighter controls and expanded auditing.
Key Takeaways:
Microsoft has released the February 2026 security baseline update (v2602) for Windows Server 2025, introducing updated configuration standards for enterprise environments. The updated baseline strengthens default security controls and aligns server deployments with current threat mitigation best practices.
A security baseline package is a collection of Microsoft‑recommended security settings (such as Group Policy configurations and registry adjustments) designed to give organizations a consistent, hardened starting point for securing Windows systems. These baselines help standardize protections across servers by bundling tested configurations that reduce exposure to common threats and eliminate risky legacy behaviors. This makes it easier for administrators to deploy, audit, and maintain secure environments at scale.
Compared to the previous baseline, Microsoft has introduced several policy changes that focus on improved security alignment with modern standards. The sudo command is now disabled on both Member Servers (MS) and Domain Controllers (DC). This change should help to reduce privilege‑escalation attacks in enterprise environments.
Additionally, Domain Controllers now block Windows Hello for Business keys affected by the ROCA cryptographic vulnerability. Moreover, IE11 can no longer be launched via COM automation, which prevents legacy applications from invoking the outdated browser. Microsoft has also disabled the setting that prevents MotW tags from being applied to files copied from insecure sources to ensure such files receive higher scrutiny.
Microsoft expanded NTLM auditing to give administrators clearer insight into how legacy NTLM authentication is being used across their environment. This update enables auditing for all incoming NTLM traffic on both Member Servers and Domain Controllers, applies full auditing of NTLM authentication within the domain on Domain Controllers, and records all outgoing NTLM activity on both server types.
Last but not least, Microsoft has removed the “Prevent downloading of enclosures” setting, because it does not apply to Windows Server 2025. The new baseline is available through the Microsoft Security Compliance Toolkit and is intended for testing and customization before deployment within organizations.