CIS: Windows Server 2025
As part of the 25.4 release, a new CIS template for Windows Server 2025 is introduced. This document provides information about the hotfix which contains Center for Internet Security (CIS) templates for Windows Server 2025. This template contains implementation for 463 rules that can be installed on TrueSight Server Automation 20.x or later.
This template is created based on the recommended settings defined by Microsoft Windows Server 2025 Security Configuration Benchmark Version 1.0.0, published on March 19, 2025. This version adopts a script-based approach, where compliance checks and remediations are executed using PowerShell scripts.
Determine whether you need to install the template
If you are installing TrueSight Server Automation version 25.4 for the first time (fresh installation), no action is required because this template is installed as a part of the 25.4 installation process.
If you have upgraded to 25.4 or later, this template is not installed automatically. To install this template, do one of the following actions:
- Perform the steps mentioned in this topic.
Through this method, the CIS template for Windows Server 2025 is installed. - Upgrade the compliance content by using one of the following methods:
- Through the Auto Content Import Job after the upgrade: During the Application Server upgrade, the Network Shell script of this job is updated. After you upgrade TrueSight Server Automation, execute this job to obtain the latest compliance content. Through this method, the latest version of all the templates that are available in version 25.4 is installed.
For the complete list of supported templates and their versions, see Compliance Content support and requirements. - Install manually by using the content installer: Make sure that you use the content installer of the same version as the Application Server version.
For information about how to install the compliance content manually, see Walkthrough: Loading compliance content.
When you use this method, you have the flexibility to choose the template you want to install from the set available in version 25.4.
- Through the Auto Content Import Job after the upgrade: During the Application Server upgrade, the Network Shell script of this job is updated. After you upgrade TrueSight Server Automation, execute this job to obtain the latest compliance content. Through this method, the latest version of all the templates that are available in version 25.4 is installed.
Before you begin
Before you install this hotfix, make sure that you perform the following:
- Review the template's local and global properties to match organization standards after importing the latest template.
Property Name Impacted Rule Default Value Notes SEDENYINTERACTIVELOGONRIGHT 2.2.25 "user1" MS Targets
DC Targets
Standalone/Workgroup
Make sure to set SEDENYINTERACTIVELOGONRIGHT configured with the BladeLogicRSCD(RSCD Agent) user on MS and BladeLogicRSCDDC(RSCD Agent) on DC.
For multiple values, set a comma-separated list of usernames in string format — for example: "user1,user2" - The audit script automatically detects whether the target is a Domain Controller or a Member Server. So, do not set the DOMAIN property manually.
- Ensure required ADMX and ADML files are copied to the respective directories on all target servers:
- ADMX: C:\Windows\PolicyDefinitions
- ADML: C:\Windows\PolicyDefinitions\en-US
These files are necessary for proper remediation.
Step 1: Downloading and installing
- Download the CIS - Windows Server 2025 package from the BMC EPD website and follow these steps:
- Log in to the BMC EPD Website.
- Go to Additional Products tab, under View By Category, and select Server Automation.
- Go to:
- TrueSight Server Automation > TrueSight Server Automation 25.2.00 or
- TrueSight Server Automation Compliance Module > TrueSight Server Automation Compliance Module 25.2.00.
- Download TSSA 25.2.00 CIS Updates for Windows 2025, which includes the following:
- CIS - Windows Server 2025.zip
- CIS_Microsoft_Windows_Server_2025_Benchmark_v1.0.0.pdf
- RELEASE_NOTES_FOR_CIS_WINDOWS_2025.docx
- ExtendedObjects.zip
- Verify the downloaded content by using the following checksums:
File name Checksum CIS - Windows Server 2025.zip 8514d90caa48f2898941892793460e4b ExtendedObjects.zip 06d6ee3ed3be309fdb97d2472da7c4a5
- Extract ExtendedObjects.zip to a temporary location.
- Back up the existing extended objects located at <Appserver_Install_Path>/share/sensors/cis/win2025.
- Replace the extended objects from the extracted zip file on all application servers. Keep all other existing extended objects intact.
- Move the CIS - Windows Server 2025 package to your RCP client server.
Step 2: Importing the Compliance Content
- Log on the Application Server console.
- Right-click Component Templates and click Import.
- Select Import (Version-neutral) and click OK.
- Select the updated CIS - Windows Server 2025.zip package from the temporary location.
The CIS template for CIS - Windows Server 2025 is available in the CIS - Windows Server 2025.zip package. To import the templates, select the CIS - Windows Server 2025.zip and click Next.
- Make sure you select the Update objects according to the imported packages and Preserve template group path options and click Next.
- Click Finish.
- Click OK.
The templates are imported successfully and are shown under CIS Compliance Content > CIS.
Rules within the template
The following are the details of the 463 rules provided in the zip package. It contains the following types of rules:
- Rules that check for compliance(audit) and provides remediation = 463
- Rules that check for compliance(audit) but do not provide remediation = 0
- Rules that do not check for compliance and do not provide remediation = 0
The following are the details of the rules that are divided into parts:
- Rules not divided into parts = 463
So, the current rule count according to CIS Windows Server 2025 template after running the compliance job is 463.