M T, thank you for posting this question here and apologies for the delayed response. The behavior, as mentioned in the question, seems to be stemming because of auto-generated resource property that bypasses policy evaluation
In summary, when a VM is being created, the property Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
is not present in the PUT request payload. You may verify it by downloading the template in the last tab of create VM flow. When the request reaches the resource provider, the resource provider generates the property and sets the value.
In the policy definition shared above, the same is the situation because of which if
conditions are not true until after the resource is created. The VM resource is evaluated against policy during the next policy evaluation cycle which puts the resource in non-compliant state (as it is being done after the resource creation) and thus a remediation task is required to deploy the VMApplication.
You might consider using Start-AzPolicyRemediation
in Azure Automation to start remediation task for this policy for non-compliant resources, as a workaround.
Hope this helps.
Please let me know if you have any questions.