Initial Configuration of Windows Server 2025 After Installation
Completing a fresh installation of Windows Server 2025 is only the first step. Before you can safely place a server into production, a series of critical configuration tasks must be completed: setting a meaningful hostname, assigning a static IP address, enabling remote access, hardening the firewall, synchronising the clock, and applying the latest security updates. Skipping or deferring these steps introduces unnecessary risk and makes ongoing management far more difficult. This guide walks through every essential post-installation configuration task using PowerShell, which is the recommended approach for repeatability, automation, and documentation. All commands are tested against Windows Server 2025 (build 26100) and assume you are logged in with a local administrator account immediately after the OS installation wizard completes.
Prerequisites
- Windows Server 2025 installed (Standard or Datacenter edition)
- Local administrator account active and logged in
- A planned static IP address, subnet mask, default gateway, and DNS server addresses
- Planned hostname following your organisation’s naming convention
- Internet access (or WSUS server) for Windows Update
- PowerShell 5.1 (included in Windows Server 2025) — open an elevated session before running any commands
Step 1 — Set the Server Hostname
The default computer name assigned by the installer is a random string that is difficult to identify on the network. Set a meaningful name immediately, before joining any domain or configuring network services, because a rename after domain join requires additional steps.
# View the current computer name
$env:COMPUTERNAME
# Rename the computer — replace SRVWEB01 with your target hostname
Rename-Computer -NewName "SRVWEB01" -Force
# The change takes effect after a restart; do NOT restart yet —
# complete all other steps first and restart once at the end
If you need to rename a remote machine in one step, add -ComputerName and -LocalCredential parameters. For domain-joined renames, also supply -DomainCredential.
Step 2 — Configure a Static IP Address
Most servers require a static address. Windows Server 2025 uses the NetTCPIP module for IP configuration. First identify the interface index, then apply the address.
# List network adapters and their indexes
Get-NetAdapter | Select-Object Name, InterfaceIndex, Status, MacAddress
# Remove any existing DHCP-assigned address on the chosen adapter (index 3 in this example)
# Replace InterfaceIndex with your actual value
$ifIndex = 3
Remove-NetIPAddress -InterfaceIndex $ifIndex -Confirm:$false -ErrorAction SilentlyContinue
Remove-NetRoute -InterfaceIndex $ifIndex -DestinationPrefix "0.0.0.0/0" -Confirm:$false -ErrorAction SilentlyContinue
# Assign a static IP, subnet prefix length, and default gateway
New-NetIPAddress `
-InterfaceIndex $ifIndex `
-IPAddress "192.168.1.10" `
-PrefixLength 24 `
-DefaultGateway "192.168.1.1"
# Set primary and secondary DNS servers
Set-DnsClientServerAddress `
-InterfaceIndex $ifIndex `
-ServerAddresses ("192.168.1.1", "8.8.8.8")
# Verify the configuration
Get-NetIPAddress -InterfaceIndex $ifIndex
Get-DnsClientServerAddress -InterfaceIndex $ifIndex
Step 3 — Enable Remote Desktop Protocol (RDP)
RDP is disabled by default on Server Core and GUI installations alike. Enable it via the registry and confirm the firewall rule is active.
# Enable RDP
Set-ItemProperty `
-Path "HKLM:SystemCurrentControlSetControlTerminal Server" `
-Name "fDenyTSConnections" `
-Value 0
# Require Network Level Authentication (NLA) — strongly recommended
Set-ItemProperty `
-Path "HKLM:SystemCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp" `
-Name "UserAuthentication" `
-Value 1
# Enable the built-in firewall rule group for RDP
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
# Verify the service is set to start automatically
Set-Service -Name "TermService" -StartupType Automatic
Start-Service -Name "TermService"
Step 4 — Configure Windows Firewall Baseline
Windows Firewall should remain enabled on all server profiles. Enable the rules you need and verify the overall firewall state.
# Confirm firewall is enabled on all profiles
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True
# Allow ICMPv4 (ping) — useful for monitoring
Enable-NetFirewallRule -DisplayName "File and Printer Sharing (Echo Request - ICMPv4-In)"
# Allow WinRM (HTTP, port 5985) for remote PowerShell — optional at this stage
Enable-NetFirewallRule -DisplayGroup "Windows Remote Management"
# List all enabled inbound rules to review what is open
Get-NetFirewallRule -Direction Inbound -Enabled True |
Select-Object DisplayName, Profile, Action |
Sort-Object DisplayName
Step 5 — Set the Correct Timezone
An incorrect timezone causes certificate validation errors, event log confusion, and Kerberos authentication failures. Set it before joining any domain.
# List all available timezone IDs
Get-TimeZone -ListAvailable | Select-Object Id, DisplayName
# Set the timezone — replace with your region
Set-TimeZone -Id "GMT Standard Time"
# Verify
Get-TimeZone
# Confirm the W32tm service is running and sync immediately
w32tm /resync /force
Step 6 — Install Windows Updates
Windows Server 2025 does not ship with the PSWindowsUpdate module by default, but it is available from the PowerShell Gallery. Install it and apply all available updates.
# Set execution policy to allow module installation
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope LocalMachine -Force
# Trust the PSGallery repository
Set-PSRepository -Name "PSGallery" -InstallationPolicy Trusted
# Install the PSWindowsUpdate module
Install-Module -Name PSWindowsUpdate -Force -AllowClobber
# Import the module
Import-Module PSWindowsUpdate
# Check for available updates
Get-WindowsUpdate
# Install all updates and auto-reboot if required
# Remove -AutoReboot if you want to control the restart manually
Install-WindowsUpdate -AcceptAll -AutoReboot -Confirm:$false
If the server has no internet access, point it at a WSUS server first by configuring the registry key HKLM:SOFTWAREPoliciesMicrosoftWindowsWindowsUpdateAU before running the above commands.
Step 7 — Disable IE Enhanced Security Configuration
Internet Explorer Enhanced Security Configuration (IE ESC) is enabled by default on Windows Server and blocks many legitimate web downloads needed during setup. Disable it for administrators (not users) using PowerShell or Server Manager.
# Disable IE ESC for Administrators
$adminKey = "HKLM:SOFTWAREMicrosoftActive SetupInstalled Components{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}"
Set-ItemProperty -Path $adminKey -Name "IsInstalled" -Value 0
# Disable IE ESC for Users (optional — review your security policy first)
$userKey = "HKLM:SOFTWAREMicrosoftActive SetupInstalled Components{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}"
Set-ItemProperty -Path $userKey -Name "IsInstalled" -Value 0
# Refresh the shell to apply immediately
Stop-Process -Name Explorer -ErrorAction SilentlyContinue
Step 8 — Create a Dedicated Administrator Account
The built-in Administrator account is a well-known target. Create a named administrator account, add it to the local Administrators group, and disable the built-in account.
# Create a new local admin account
$securePass = Read-Host -AsSecureString -Prompt "Enter password for new admin account"
New-LocalUser `
-Name "srvadmin" `
-Password $securePass `
-FullName "Server Administrator" `
-Description "Primary server admin account" `
-PasswordNeverExpires:$false `
-UserMayNotChangePassword:$false
# Add to local Administrators group
Add-LocalGroupMember -Group "Administrators" -Member "srvadmin"
# Disable the default built-in Administrator account
Disable-LocalUser -Name "Administrator"
# Verify
Get-LocalUser | Select-Object Name, Enabled, LastLogon
Step 9 — Join the Domain
If this server will be part of an Active Directory domain, join it now — after all previous steps are complete — so that DNS, hostname, and IP are already correctly set.
# Prompt for domain join credentials
$domainCred = Get-Credential -Message "Enter domain admin credentials"
# Join the domain — replace corp.example.com with your domain FQDN
Add-Computer `
-DomainName "corp.example.com" `
-Credential $domainCred `
-OUPath "OU=Servers,OU=IT,DC=corp,DC=example,DC=com" `
-Restart:$false `
-Force
# Verify the domain join status before restarting
(Get-WmiObject Win32_ComputerSystem).PartOfDomain
(Get-WmiObject Win32_ComputerSystem).Domain
Step 10 — Final Restart
Most of the changes made above — hostname rename, domain join, and some Windows Updates — require a restart to take effect. Apply all changes in a single reboot rather than restarting after each step.
# Restart the server with a reason logged to the event log
Restart-Computer -Force -Wait -Timeout 300 -Delay 5
# If running this in a remote session, use:
# shutdown /r /t 30 /c "Post-installation configuration complete"
Conclusion
After the restart, Windows Server 2025 will be running under its correct hostname, on a static IP address, joined to the domain (if applicable), protected by an active firewall, patched with the latest updates, and accessible via RDP. This baseline configuration represents the minimum viable security posture for a production server. From here you can proceed with role installation — IIS, Active Directory Domain Services, DHCP, DNS, or Hyper-V — confident that the foundation is solid and auditable. All of the PowerShell commands used in this guide can be assembled into a single configuration script and stored in source control, making it straightforward to reproduce an identical configuration for every new server you provision.
