I'm currently using this build in policy to install Qualys to our servers: https://www.azadvertizer.net/azpolicyadvertizer/13ce0167-8ca6-4048-8e6b-f996402e3c1b.html
{
"properties": {
"displayName": "Configure machines to receive a vulnerability assessment provider",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "Azure Defender includes vulnerability scanning for your machines at no extra cost. You don't need a Qualys license or even a Qualys account - everything's handled seamlessly inside Security Center. When you enable this policy, Azure Defender automatically deploys the Qualys vulnerability assessment provider to all supported machines that don't already have it installed.",
"metadata": {
"category": "Security Center",
"version": "4.0.0"
},
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"DeployIfNotExists",
"Disabled"
],
"defaultValue": "DeployIfNotExists"
},
"vaType": {
"type": "String",
"metadata": {
"displayName": "Vulnerability assessment provider type",
"description": "Select the vulnerability assessment solution to provision to machines."
},
"allowedValues": [
"default",
"mdeTvm"
],
"defaultValue": "default"
}
},
"policyRule": {
"if": {
"anyof": [
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
{
"allOf": [
{
"field": "type",
"equals": "Microsoft.HybridCompute/machines"
},
{
"field": "tags",
"notContainsKey": "MDFCSecurityConnector"
}
]
}
]
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"type": "Microsoft.Security/assessments",
"name": "ffff0522-1e88-47fc-8382-2a80ba848f5d",
"evaluationDelay": "PT60M",
"existenceCondition": {
"anyOf": [
{
"field": "Microsoft.Security/assessments/status.code",
"equals": "NotApplicable"
},
{
"allOf": [
{
"field": "Microsoft.Security/assessments/status.code",
"equals": "Healthy"
},
{
"field": "Microsoft.Security/assessments/status.cause",
"equals": "[parameters('vaType')]"
}
]
}
]
},
"deployment": {
"properties": {
"mode": "Incremental",
"template": {
"contentVersion": "1.0.0.0",
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"parameters": {
"vmName": {
"type": "String"
},
"resourceType": {
"type": "string"
},
"vaType": {
"type": "string"
}
},
"variables": {
"resourceNameAndVaType": "[concat(parameters('vmName'), '/Microsoft.Security/', parameters('vaType'))]"
},
"resources": [
{
"condition": "[equals(toLower(parameters('resourceType')), toLower('microsoft.compute/virtualmachines'))]",
"type": "Microsoft.Compute/virtualMachines/providers/serverVulnerabilityAssessments",
"name": "[variables('resourceNameAndVaType')]",
"apiVersion": "2020-01-01"
},
{
"condition": "[equals(toLower(parameters('resourceType')), toLower('microsoft.hybridcompute/machines'))]",
"type": "Microsoft.HybridCompute/machines/providers/serverVulnerabilityAssessments",
"name": "[variables('resourceNameAndVaType')]",
"apiVersion": "2020-01-01"
}
]
},
"parameters": {
"vmName": {
"value": "[field('name')]"
},
"resourceType": {
"value": "[field('type')]"
},
"vaType": {
"value": "[parameters('vaType')]"
}
}
}
},
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd"
]
}
}
}
},
"id": "/providers/Microsoft.Authorization/policyDefinitions/13ce0167-8ca6-4048-8e6b-f996402e3c1b",
"type": "Microsoft.Authorization/policyDefinitions",
"name": "13ce0167-8ca6-4048-8e6b-f996402e3c1b"
}
Currently policy run against type = Microsoft.Compute/virtualMachines and because of that policy installs Qualys to our Windows Desktops (which we do not want) and AzureDatabricks (fails because it not supported). This leads to pretty red compliance page.
Then I created custom policy based of that build in which would exclude databricks and Windows desktops away.
{
"mode": "Indexed",
"policyRule": {
"if": {
"allOf": [
{
"not": {
"field": "Microsoft.Compute/imagePublisher",
"in": [
"MicrosoftWindowsDesktop",
"AzureDatabricks"
]
}
},
{
"anyof": [
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
{
"allOf": [
{
"field": "type",
"equals": "Microsoft.HybridCompute/machines"
},
{
"field": "tags",
"notContainsKey": "MDFCSecurityConnector"
}
]
}
]
}
]
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"type": "Microsoft.Security/assessments",
"name": "ffff0522-1e88-47fc-8382-2a80ba848f5d",
"evaluationDelay": "PT60M",
"existenceCondition": {
"anyOf": [
{
"field": "Microsoft.Security/assessments/status.code",
"equals": "NotApplicable"
},
{
"allOf": [
{
"field": "Microsoft.Security/assessments/status.code",
"equals": "Healthy"
},
{
"field": "Microsoft.Security/assessments/status.cause",
"equals": "[parameters('vaType')]"
}
]
}
]
},
"deployment": {
"properties": {
"mode": "Incremental",
"template": {
"contentVersion": "1.0.0.0",
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"parameters": {
"vmName": {
"type": "String"
},
"resourceType": {
"type": "string"
},
"vaType": {
"type": "string"
}
},
"variables": {
"resourceNameAndVaType": "[concat(parameters('vmName'), '/Microsoft.Security/', parameters('vaType'))]"
},
"resources": [
{
"condition": "[equals(toLower(parameters('resourceType')), toLower('microsoft.compute/virtualmachines'))]",
"type": "Microsoft.Compute/virtualMachines/providers/serverVulnerabilityAssessments",
"name": "[variables('resourceNameAndVaType')]",
"apiVersion": "2020-01-01"
},
{
"condition": "[equals(toLower(parameters('resourceType')), toLower('microsoft.hybridcompute/machines'))]",
"type": "Microsoft.HybridCompute/machines/providers/serverVulnerabilityAssessments",
"name": "[variables('resourceNameAndVaType')]",
"apiVersion": "2020-01-01"
}
]
},
"parameters": {
"vmName": {
"value": "[field('name')]"
},
"resourceType": {
"value": "[field('type')]"
},
"vaType": {
"value": "[parameters('vaType')]"
}
}
}
},
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd"
]
}
}
},
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"DeployIfNotExists",
"Disabled"
],
"defaultValue": "DeployIfNotExists"
},
"vaType": {
"type": "String",
"metadata": {
"displayName": "Vulnerability assessment provider type",
"description": "Select the vulnerability assessment solution to provision to machines."
},
"allowedValues": [
"default",
"mdeTvm"
],
"defaultValue": "default"
}
}
}
Policy is now indeed excluding Databricks and Desktop but it is also doing it for the hybrid vms aka Arc Servers which is not wanted. Tried to make also few changes to PolicyRule without luck. Can someone spot the mistake that I'm making? I would need to policy also work for the hybrid vms
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(307.2, 2%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EWS%3C/text%3E%3C/svg%3E)
