MiServer: Managed Windows: OS Configuration

This document applies to managed Windows systems ordered on or after June 16, 2025. Contact the MiServer team ([email protected]) for any required assistance.

Operating System Hardening

Managed Windows systems are delivered with a core set of OS hardening policies. These policies are reviewed and updated in regularly announced maintenance periods. Additional OS and application hardening may be required for your server depending on data types used by your application. Please consult U-M Safe Computing for guidance on regulated data handling.

To create an HTML report of all policies applied to your MiServer:

From a command prompt launched with ‘Run as administrator’ on your MiServer instance, use the gpupdate command to compile the report. 

For example, to create a report and save to c:\temp\report.html use the following command:

gpresult /h c:\temp\report.html

System Services

The following Windows services are disabled by default on Managed Windows servers and may be selectively enabled on an as-needed basis.

Default UMROOT policy disables these specific Windows services, which also apply to Managed Windows Servers:

  • IIS Admin Service
  • Messenger
  • MSSQLServer
  • World Wide Publishing (W3SVC)

Refer to Allowing IIS, SQL and the Messaging Services in the UMROOT Domain for information on how to re-enable services on systems in need, including leveraging existing UMROOT override group policies as well as details on creating self-managed override policies.

In addition to the UMROOT disabled services, these services are disabled by MiServer policy:

  • Connected Devices Platform Service
  • Connected User Experiences and Telemetry
  • OpenSSH Server
  • Print Spooler
  • Remote Access Connection Manager
  • Shell Hardware Detection

Default Session Timeouts

Idle Remote Desktop connections will lock and require a password to resume after 15 minutes of inactivity. Idle sessions will be disconnected, not terminated, after a period of 2 hours of inactivity. These defaults are overridable upon request.

Contact the MiServer team ([email protected]) for any required assistance.

Last Updated
Friday, June 13, 2025