{"id":11182,"date":"2026-01-04T15:58:27","date_gmt":"2026-01-04T20:58:27","guid":{"rendered":"https:\/\/stevepedwards.today\/DebianAdmin\/?p=11182"},"modified":"2026-01-04T16:03:10","modified_gmt":"2026-01-04T21:03:10","slug":"windows-server-2022-first-install-security-options","status":"publish","type":"post","link":"https:\/\/stevepedwards.today\/DebianAdmin\/windows-server-2022-first-install-security-options\/","title":{"rendered":"Windows Server 2022 First Install Security Options"},"content":{"rendered":"<div class=\"pvc_clear\"><\/div>\n<p id=\"pvc_stats_11182\" class=\"pvc_stats all  \" data-element-id=\"11182\" style=\"\"><i class=\"pvc-stats-icon medium\" aria-hidden=\"true\"><svg aria-hidden=\"true\" focusable=\"false\" data-prefix=\"far\" data-icon=\"chart-bar\" role=\"img\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" viewBox=\"0 0 512 512\" class=\"svg-inline--fa fa-chart-bar fa-w-16 fa-2x\"><path fill=\"currentColor\" d=\"M396.8 352h22.4c6.4 0 12.8-6.4 12.8-12.8V108.8c0-6.4-6.4-12.8-12.8-12.8h-22.4c-6.4 0-12.8 6.4-12.8 12.8v230.4c0 6.4 6.4 12.8 12.8 12.8zm-192 0h22.4c6.4 0 12.8-6.4 12.8-12.8V140.8c0-6.4-6.4-12.8-12.8-12.8h-22.4c-6.4 0-12.8 6.4-12.8 12.8v198.4c0 6.4 6.4 12.8 12.8 12.8zm96 0h22.4c6.4 0 12.8-6.4 12.8-12.8V204.8c0-6.4-6.4-12.8-12.8-12.8h-22.4c-6.4 0-12.8 6.4-12.8 12.8v134.4c0 6.4 6.4 12.8 12.8 12.8zM496 400H48V80c0-8.84-7.16-16-16-16H16C7.16 64 0 71.16 0 80v336c0 17.67 14.33 32 32 32h464c8.84 0 16-7.16 16-16v-16c0-8.84-7.16-16-16-16zm-387.2-48h22.4c6.4 0 12.8-6.4 12.8-12.8v-70.4c0-6.4-6.4-12.8-12.8-12.8h-22.4c-6.4 0-12.8 6.4-12.8 12.8v70.4c0 6.4 6.4 12.8 12.8 12.8z\" class=\"\"><\/path><\/svg><\/i> <img loading=\"lazy\" decoding=\"async\" width=\"16\" height=\"16\" alt=\"Loading\" src=\"https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/plugins\/page-views-count\/ajax-loader-2x.gif\" border=0 \/><\/p>\n<div class=\"pvc_clear\"><\/div>\n<p><strong>Windows Server 2022 First Install Security Options<\/strong><\/p>\n<p>Windows Server 2022 does not have a \"one-click\" automatic hardening button during the initial installation wizard. However, it is designed with a <strong>\"Secure by Default\"<\/strong> philosophy, and Microsoft provides tools to automate the bulk of the hardening process immediately after installation.<\/p>\n<p>Here is how the hardening process breaks down between what's automatic, what's semi-automated, and what's manual.<\/p>\n<p><strong>1. What is Automatic (Out of the Box)<\/strong><\/p>\n<p>Windows Server 2022 introduced several features that are active the moment the OS finished installing, assuming your hardware supports them:<\/p>\n<ul>\n<li><strong>Secured-core Server:<\/strong> If you bought certified hardware, the OS automatically coordinates with the hardware (TPM 2.0) and firmware to enable <strong>Secure Boot<\/strong> and <strong>Hardware Root-of-Trust<\/strong>.<sup>1<\/sup><\/li>\n<li><strong>TLS 1.3 Enabled by Default:<sup>2<\/sup><\/strong> Unlike previous versions, the most secure encryption protocol for web and network traffic is on from the start.<\/li>\n<li><strong>Virtualization-Based Security (VBS):<\/strong> The OS uses the processor's virtualization features to create a \"black box\" in memory that protects credentials from being scraped (Credential Guard).<sup>3<\/sup><\/li>\n<\/ul>\n<p><strong>2. The Semi-Automated Path (The \"Best Practice\")<\/strong><\/p>\n<p>While the installer won't do it for you, Microsoft provides the <strong>Microsoft Security Compliance Toolkit<\/strong>.<sup>4<\/sup> This is the closest thing to an \"automatic\" hardening process.<\/p>\n<ul>\n<li><strong>Security Baselines:<\/strong> You download a pre-configured set of <strong>Group Policy Objects (GPOs)<\/strong> designed by Microsoft engineers.<sup>5<\/sup><\/li>\n<li><strong>LGPO.exe:<\/strong> This is a command-line tool included in the toolkit.<sup>6<\/sup> It allows you to \"inject\" these security baselines into a fresh server in seconds, instantly changing hundreds of registry keys and policy settings to meet high-security standards.<\/li>\n<li><strong>Result:<\/strong> This automates about <strong>80\u201390%<\/strong> of the standard hardening (password policies, disabling old protocols like SMBv1, and locking down user rights).<\/li>\n<\/ul>\n<p><strong>3. What Remains Manual (The \"Hard\" Part)<\/strong><\/p>\n<p>Automation can\u2019t know what your specific server is supposed to <em>do<\/em>, so these steps must always be manual:<\/p>\n<ul>\n<li><strong>Role Minimization:<\/strong> You must manually choose only the \"Roles and Features\" you need. If the server isn't a Web Server, you must ensure IIS isn't installed.<\/li>\n<li><strong>Attack Surface Reduction (ASR):<\/strong> Manually disabling services that your specific applications don't need (e.g., Print Spooler on a Database server).<\/li>\n<li><strong>Network Partitioning:<\/strong> Assigning static IPs and placing the server in the correct VLAN\/DMZ.<sup>7<\/sup><\/li>\n<\/ul>\n<p><strong>Summary Checklist for a New Install<\/strong><\/p>\n<p>If you want to harden a 2022 server efficiently, follow this workflow:<\/p>\n<table>\n<thead>\n<tr>\n<th><strong>Step<\/strong><\/th>\n<th><strong>Method<\/strong><\/th>\n<th><strong>Task<\/strong><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>1. Install<\/strong><\/td>\n<td>Manual<\/td>\n<td>Choose \"Server Core\" instead of \"Desktop Experience\" (cuts 70% of attack surface).<\/td>\n<\/tr>\n<tr>\n<td><strong>2. Update<\/strong><\/td>\n<td>Automatic<\/td>\n<td>Run Windows Update immediately to patch \"Day 0\" vulnerabilities.<\/td>\n<\/tr>\n<tr>\n<td><strong>3. Baseline<\/strong><\/td>\n<td><strong>Automated<\/strong><\/td>\n<td>Use <strong>LGPO.exe<\/strong> to apply the Microsoft Security Baseline.<\/td>\n<\/tr>\n<tr>\n<td><strong>4. Roles<\/strong><\/td>\n<td>Manual<\/td>\n<td>Install only the specific Roles required for the job.<\/td>\n<\/tr>\n<tr>\n<td><strong>5. Audit<\/strong><\/td>\n<td>Manual<\/td>\n<td>Use a tool like <strong>Policy Analyzer<\/strong> (from the toolkit) to verify the settings stuck.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><strong>Would you like me to provide the specific PowerShell commands to apply a Security Baseline using the LGPO tool?<\/strong><\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<div class=\"pvc_clear\"><\/div>\n<p id=\"pvc_stats_11182\" class=\"pvc_stats all  \" data-element-id=\"11182\" style=\"\"><i class=\"pvc-stats-icon medium\" aria-hidden=\"true\"><svg aria-hidden=\"true\" focusable=\"false\" data-prefix=\"far\" data-icon=\"chart-bar\" role=\"img\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" viewBox=\"0 0 512 512\" class=\"svg-inline--fa fa-chart-bar fa-w-16 fa-2x\"><path fill=\"currentColor\" d=\"M396.8 352h22.4c6.4 0 12.8-6.4 12.8-12.8V108.8c0-6.4-6.4-12.8-12.8-12.8h-22.4c-6.4 0-12.8 6.4-12.8 12.8v230.4c0 6.4 6.4 12.8 12.8 12.8zm-192 0h22.4c6.4 0 12.8-6.4 12.8-12.8V140.8c0-6.4-6.4-12.8-12.8-12.8h-22.4c-6.4 0-12.8 6.4-12.8 12.8v198.4c0 6.4 6.4 12.8 12.8 12.8zm96 0h22.4c6.4 0 12.8-6.4 12.8-12.8V204.8c0-6.4-6.4-12.8-12.8-12.8h-22.4c-6.4 0-12.8 6.4-12.8 12.8v134.4c0 6.4 6.4 12.8 12.8 12.8zM496 400H48V80c0-8.84-7.16-16-16-16H16C7.16 64 0 71.16 0 80v336c0 17.67 14.33 32 32 32h464c8.84 0 16-7.16 16-16v-16c0-8.84-7.16-16-16-16zm-387.2-48h22.4c6.4 0 12.8-6.4 12.8-12.8v-70.4c0-6.4-6.4-12.8-12.8-12.8h-22.4c-6.4 0-12.8 6.4-12.8 12.8v70.4c0 6.4 6.4 12.8 12.8 12.8z\" class=\"\"><\/path><\/svg><\/i> <img loading=\"lazy\" decoding=\"async\" width=\"16\" height=\"16\" alt=\"Loading\" src=\"https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/plugins\/page-views-count\/ajax-loader-2x.gif\" border=0 \/><\/p>\n<div class=\"pvc_clear\"><\/div>\n<p>Windows Server 2022 First Install Security Options Windows Server 2022 does not have a \"one-click\" automatic hardening button during the initial installation wizard. However, it is designed with a \"Secure by Default\" philosophy, and Microsoft provides tools to automate the bulk of the hardening process immediately after installation. Here is how the hardening process breaks <a href=\"https:\/\/stevepedwards.today\/DebianAdmin\/windows-server-2022-first-install-security-options\/\" class=\"more-link\">...<span class=\"screen-reader-text\">\u00a0 Windows Server 2022 First Install Security Options<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-11182","post","type-post","status-publish","format-standard","hentry","category-post"],"a3_pvc":{"activated":true,"total_views":3,"today_views":0},"_links":{"self":[{"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/posts\/11182","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/comments?post=11182"}],"version-history":[{"count":1,"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/posts\/11182\/revisions"}],"predecessor-version":[{"id":11183,"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/posts\/11182\/revisions\/11183"}],"wp:attachment":[{"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/media?parent=11182"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/categories?post=11182"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/tags?post=11182"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}