This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(16, 89%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBW%3C/text%3E%3C/svg%3E)
Hi,
I currently have a custom built Azure policy to mark any VM as non-compliant if the auto-shutdown feature is not enabled (There is no remediation task currently).
We do not want this policy applied to Windows server 2019 VMs, is there anyway to exclude resources in the policy via tags or operating systems at all?
So for example if tags i would assign a tag to all the windows servers and then the policy would exclude them if the tag has been placed against the resource. Or if better the OS, for example if a VM has the OS Windows Server 2019 then exclude from the policy.
Any help would be greatly appreciated.
Kind regards,
Ben
@Ben Woodman just circling back to see if the provided post helped resolve your issue. Let us know if you have any further questions on this topic so we can better assist you. To benefit the broader community, please feel free to mark as answered.
Hi Ryan,
Thank you for following up, these answers look very good and i am sure they will help. However, as we work in sprints and with the time given i currently do not have time to investigate this, however I have put time in for the next sprint and will investigate then. Feel free to close this case and i will re-open a new one should i require but will look into this in the next few weeks.
Kind regards,
Ben
Hi, yes you can.
You should be able to add a if not true to the police for the image Offer:
"not": {
"allOf": [
{
"field": "Microsoft.Compute/virtualmachines/imageOffer",
"in": [
"2019*"
]
},
Hi @Ben Woodman
Another option is leveraging New-AzPolicyExemption cmdlet to exclude by operating system. An example of creating a policy using Azure PowerShell
$exemption = New-AzPolicyExemption `
-Name "Exclude Windows Server 2019 VMs from auto-shutdown policy" `
-PolicyAssignmentId "/subscriptions/{subscriptionId}/providers/Microsoft.Management/managementGroups/{managementGroupId}/providers/Microsoft.Authorization/policyAssignments/{policyAssignmentId}" `
-DisplayName "Exclude Windows Server 2019 VMs from auto-shutdown policy" `
-Description "Excludes Windows Server 2019 VMs from the auto-shutdown policy" `
-Metadata @{"category"="Auto-shutdown policy";"notes"="Excludes Windows Server 2019 VMs from the auto-shutdown policy"} `
-TargetResourceId "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/virtualMachines/{vmName}" `
-ExemptionCategory "Mitigated" `
-ExpirationDate (Get-Date).AddDays(30) `
-PolicyDefinitionReferenceId "/providers/Microsoft.Authorization/policyDefinitions/{policyDefinitionId}" `
-Properties @{"osType"="Windows";"osVersion"="2019"} `
-Reason "Excluding Windows Server 2019 VMs from the auto-shutdown policy" `
-CreatedBy "John Doe" `
-CreatedOn (Get-Date)
Once created, you can use Set-AzPolicyAssignment cmdlet to assign the policy.
$vms = Get-AzVM -ResourceGroupName "myResourceGroup" | ForEach-Object { $_.Id }
$exemption = Get-AzPolicyExemption -Name "Exclude Windows Server 2019 VMs from auto-shutdown policy"
$exemption.Parameters.ExcludeResourceIds.Value = $vms
Set-AzPolicyAssignment -PolicyAssignment $exemption -Id $exemption.Id