Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Caution
This article references CentOS, a Linux distribution that is End Of Life (EOL) status. Consider your use and planning accordingly. For more information, see the CentOS End Of Life guidance.
Azure Policy's machine configuration feature provides native capability to audit or configure operating system settings as code for machines running in Azure and hybrid Arc-enabled machines. You can use the feature directly per-machine, or orchestrate it at scale by using Azure Policy.
Configuration resources in Azure are designed as an extension resource. You can imagine each configuration as an extra set of properties for the machine. Configurations can include settings such as:
- Operating system settings
- Application configuration or presence
- Environment settings
Configurations are distinct from policy definitions. Machine configuration uses Azure Policy to dynamically assign configurations to machines. You can also assign configurations to machines manually.
Examples of each scenario are provided in the following table.
| Type | Description | Example story |
|---|---|---|
| Configuration management | You want a complete representation of a server, as code in source control. The deployment should include properties of the server (size, network, storage) and configuration of operating system and application settings. | "This machine should be a web server configured to host my website." |
| Compliance | You want to audit or deploy settings to all machines in scope. Apply settings reactively to existing machines or proactively to new machines as they're deployed. | "All machines should use Transport Layer Security (TLS) 1.2. Audit existing machines so I can release change where it's needed, in a controlled way, at scale. For new machines, enforce the setting when they're deployed." |
You can view the per-setting results from configurations in the Guest assignments page. If an Azure Policy assignment orchestrated the configuration is orchestrated, you can select the "Last evaluated resource" link on the "Compliance details" page.
Note
Machine Configuration currently supports the creation of up to 50 guest assignments per machine.
Enforcement Modes for Custom Policies
In order to provide greater flexibility in the enforcement and monitoring of server settings, applications, and workloads, Machine Configuration offers three main enforcement modes for each policy assignment as described in the following table.
| Mode | Description |
|---|---|
| Audit | Only report on the state of the machine |
| Apply and Monitor | Configuration applied to the machine and then monitored for changes |
| Apply and Autocorrect | Configuration applied to the machine and brought back into conformance if drift occurs |
A video walk-through of this document is available.
Supported client types
Machine configuration policy definitions are inclusive of new versions. Older versions of operating systems available in Azure Marketplace are excluded if the Guest Configuration client isn't compatible. Additionally, Linux server versions that are out of lifetime support by their respective publishers are excluded from the support matrix.
The following table shows a list of supported operating systems on Azure images. The .x text is
symbolic to represent new minor versions of Linux distributions.
| Publisher | Name | Versions |
|---|---|---|
| Alma | AlmaLinux | 9 |
| Amazon | Linux | 2 |
| Canonical | Ubuntu Server | 16.04 - 24.x |
| Credativ | Debian | 10.x - 12.x |
| Microsoft | CBL-Mariner | 1 - 2 |
| Microsoft | Azure Linux | 3 |
| Microsoft | Windows Client | Windows 10, 11 |
| Microsoft | Windows Server | 2012 - 2025 |
| Oracle | Oracle-Linux | 7.x - 8.x |
| OpenLogic | CentOS | 7.3 - 8.x |
| Red Hat | Red Hat Enterprise Linux* | 7.4 - 9.x |
| Rocky | Rocky Linux | 8 |
| SUSE | SUSE Linux Enterprise Server | 12 SP5, 15.x |
* Red Hat CoreOS isn't supported.
Machine configuration policy definitions support custom virtual machine images as long as they're one of the operating systems in the previous table. Machine Configuration doesn't support VMSS uniform but does support VMSS Flex.
Machine configuration samples
Machine configuration built-in policy samples are available in the following locations:
- Built-in policy definitions - Guest Configuration
- Built-in initiatives - Guest Configuration
- Azure Policy samples GitHub repository
- Sample DSC resource modules
Next steps
- Discover and assign built-in policies for Azure Machine Configuration
- Set up a custom machine configuration package development environment.
- Create a package artifact for machine configuration.
- Test the package artifact from your development environment.
- Use the GuestConfiguration module to create an Azure Policy definition for at-scale management of your environment.
- Assign your custom policy definition using Azure portal.
- Learn how to view compliance details for machine configuration policy assignments.