Custom policy to only contains Windows servers

Question

Hi,
I'm creating custom policy (audit) and currently I have following policy rule

"policyRule": {  
  "if": {  
    "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",  
    "like": "Windows*"  
  },  
  "then": {  
    "effect": "[parameters('effect')]",  
    "details": {  
      "type": "Microsoft.Compute/virtualMachines/extensions",  
      "existenceCondition": {  
        "allOf": [  
          {  
            "field": "Microsoft.Compute/virtualMachines/extensions/publisher",  
            "equals": "Microsoft.Azure.AzureDefenderForServers"  
          },  
          {  
            "field": "Microsoft.Compute/virtualMachines/extensions/type",  
            "equals": "MDE.Windows"  
          },  
          {  
            "field": "Microsoft.Compute/virtualMachines/extensions/provisioningState",  
            "equals": "Succeeded"  
          }  
        ]  
      }  
    }  
  }  
}  

but now this rule also contain Windows workstation but I would want only collect data from servers so could I use something like this instead?

"field": "Microsoft.Compute/virtualMachines/extended.instanceView.osName",  
"like": "Windows Server*"  

We have several servers that have been migrated so this can not be used because they have nothing under storageProfile.imageReference

                "field": "Microsoft.Compute/imagePublisher",  
                "equals": "MicrosoftWindowsServer"  

Answer 1

Hi,
You can try to filter on alias: Microsoft.Compute/virtualMachines/instanceView.osName. Example value for that property will be like: "Windows Server 2016 Datacenter". Keep in mind that property is only filled when the VM is running and the Azure VM extension is installed. You should still filter on osType as well.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.