AutoManage Windows Security Baseline for Azure Ad joined VMs

Question

Hi All,

Hope you're doing well!

We are facing an issue while using Azure AutoManage Service with Azure AD Joined VMs.

1. We have created Custom Profile in AutoManage, enabling Machine Configuration Feature with ApplyAndAutoCorrect Feature.
2. We the applied this Custom Profile to an Azure AD Joined VM in Azure.
3. This custom profile applies the Microsoft WindowsSecurityBaseline to the VM. (https://learn.microsoft.com/en-us/azure/governance/policy/samples/guest-configuration-baseline-windows)
4. One of the setting in WindowsSecurityBaseline is to disable - Network Security: Allow PKU2U authentication requests to this computer to use online identities.
5. Since we are using ApplyAndAutoCorrect mode this custom profile force this setting to be disabled on the Azure AD Joined VM.
6. By doing that, Users can't RDP to this Azure AD Joined VM using Azure AD Credentials, reason being this setting needs to be enabled for Azure AD authentication to work - Network Security: Allow PKU2U authentication requests to this computer to use online identities.

https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities

Hence we can's use AutoManage Solution for Azure AD Joined VMs because it's blocking RDP to these VMs and it's contradicting as well whether it should be disabled or enabled. Any suggestion would be appreciated. Thanks in advance.

Answer 1

@Nitin Gupta
It seems like you've encountered a conflict between the security baseline settings applied by AutoManage and the requirements for Azure AD authentication, specifically related to the "Network Security: Allow PKU2U authentication requests to this computer to use online identities" setting.

1. Exclude the specific setting from the Custom Profile:

• You can modify your Custom Profile in AutoManage to exclude the specific setting that disables PKU2U authentication. This involves adding an exclusion under the "Machine Configuration" feature in the profile editor.
• Refer to the AutoManage documentation for details on adding exclusions: https://learn.microsoft.com/en-us/azure/automanage/overview-configuration-profiles
• This way, the baseline settings will be applied except for the PKU2U setting, allowing RDP with Azure AD credentials.

2. Create a separate baseline for Azure AD VMs:

• Instead of using the general WindowsSecurityBaseline, consider creating a custom baseline specifically for Azure AD Joined VMs.
• This custom baseline can exclude the PKU2U setting while applying other desired security configurations.
• This approach gives you more control over the security posture of your Azure AD VMs while ensuring RDP functionality.

3. Use Conditional Access policies:

• You can configure Azure AD Conditional Access policies to allow RDP access only from trusted devices or locations, even if PKU2U authentication is disabled on the VM.
• This mitigates the security risk associated with disabling PKU2U while still allowing secure remote access.

4. Consider alternative security solutions:

• If the WindowsSecurityBaseline is essential for your security posture, you might need to explore alternative solutions for managing VM configurations.
• Azure Policy can be used to enforce similar security settings without directly modifying system settings that could impact functionality.

Additional recommendations:

• Consult the Microsoft documentation for specific guidance on configuring AutoManage with Azure AD Joined VMs: https://azure.microsoft.com/en-us/products/azure-automanage
• Engage the Azure community forums or Azure support for further assistance and insights from other users: https://learn.microsoft.com/en-us/azure/architecture/solution-ideas/articles/quality-assurance