Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
3,645 questions
AzureWindowsBaseline Guest Assignment started to break the VM. What to do?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(217.60000000000002, 93%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMS%3C/text%3E%3C/svg%3E)
Marcin Słowikowski
10
Reputation points
I applied AzureWindowsBaseline Guest Assignment using ApplyAndMonitor mode, but the following items return non-compliant state.
| Name | Compliance State | Reason | |----------------------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------| | Access this computer from the network | Non-compliant | [Critical] [] is missing one or more of the required values: ["*S-1-5-32-544","*S-1-5-11"] | | Bypass traverse checking | Non-compliant | [Critical] "*S-1-5-32-545" is not one of the expected values: ["*S-1-5-32-544","*S-1-5-11","*S-1-5-32-551","*S-1-5-19","*S-1-5-20"] | | Increase a process working set | Non-compliant | [Warning] "*S-1-5-32-545" is not one of the expected values: ["*S-1-5-32-544","*S-1-5-19"] |
Additionally I noticed that I can connect to VM before applying assignment, but I cannot after, which means that AzureWindowsBaseline is messing up the machine configuration.
The system administrator has restricted the types of log-on (network or interactive) that you may use. For assistance, contact your system administrator or technical support.
I verified manually that before applying is less restrictive and contains more that "*S-1-5-32-544","*S-1-5-11"
I know it was working fine a few months ago. Is there any changelog and the possibility to point my configuration to older version of this guest policy?
BTW is there any way to check what AzureWindowsBaseline does behind the scene? I cannot find any definition of checks in the documentation and troubleshooting procedure. From my perspective is a black box because MS docs contains most information how to create and assign guest policies.
Azure Monitor
{count} vote
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(185.6, 63%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAG%3C/text%3E%3C/svg%3E)
Ashok Gandhi Kotnana 10,115 Reputation points Microsoft External Staff Moderator2025-06-18T10:53:08.51+00:00 You're using Azure Windows Baseline Guest Configuration in ApplyAndMonitor mode, which monitors compliance but does not remediate settings.
The non-compliance you're seeing relates to user rights assignments—a sensitive area in Windows security policy.
1.Azure provides a Run Command feature that lets you execute PowerShell inside the VM without RDP.
Steps: Go to the Azure Portal
Navigate to the affected VM
In the left menu, click Run command
Choose RunPowerShellScript
Run this script to reset the logon rights:
Add Authenticated Users and Administrators back to 'Access this computer from the network'
secedit /export /cfg C:\secpol.cfg (Get-Content C:\secpol.cfg) .replace("SeNetworkLogonRight = ","SeNetworkLogonRight = *S-1-5-32-544,*S-1-5-11") | Set-Content C:\secpol.cfg secedit /configure /db C:\Windows\Security\Local.sdb /cfg C:\secpol.cfg /areas USER_RIGHTS Remove-Item C:\secpol.cfgNote: This overwrites the user rights assignment for SeNetworkLogonRight
If RDP access is still not working, also reset the RDP service:
Restart-Service TermService -Force
2.Detach OS Disk & Fix from Another VM
If Run Command fails or doesn’t resolve the issue:
Stop the VM
Detach the OS disk
Attach it to a working helper VM
Open the disk via Disk Management or Explorer
Use tools like OfflineRegistry or load registry hives in regedit to revert:
Security policy registry settings (like HKLM\SYSTEM or HKLM\SECURITY)
Reattach the disk to the original VM
This is more complex and should be done cautiously.
3.Restore the VM from backups.
Microsoft does not provide a public changelog or version history for the Azure Windows Baseline Guest Configuration. The built-in policy definitions are periodically updated, but these updates are not always documented in detail.
Reference:
Please let me know how it goes
Thankyou
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(38.4, 72%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENP%3C/text%3E%3C/svg%3E)
Naveena Patlolla 3,605 Reputation points Microsoft External Staff Moderator2025-06-19T10:27:14.71+00:00 Hi Marcin Słowikowski
Just want to check if the above Comment provided by @Ashok Gandhi Kotnana worked for you or else please let us know if any help, we are always here to help whenever you need us.If the comment is helpful, please click "Upvote it"
Thankyou
-
Naveena Patlolla 3,605 Reputation points Microsoft External Staff Moderator
2025-06-20T10:22:30.7166667+00:00 Hi Marcin Słowikowski
We haven't heard back from you. Please reply if you have any questions in this matter and we will gladly continue the discussion.If the comment is helpful, please click "Upvote it"
-
Marcin Słowikowski 10 Reputation points
2025-06-24T15:30:38.7433333+00:00 Hi @Naveena Patlolla @Ashok Gandhi Kotnana
Was this answer generated by AI? it looks very similar to the answers the AI gave me on this topic recently and contains the following incorrect information:You're using Azure Windows Baseline Guest Configuration in ApplyAndMonitor mode, which monitors compliance but does not remediate settings.
It's not true. ApplyAndMonitor initially remediate settings and monitor drifts. https://learn.microsoft.com/en-us/azure/governance/machine-configuration/concepts/remediation-options#machine-configuration-assignment-types
The script to fix RDP access is incorrect because SeNetworkLogonRight does not exist on a clean VM. This is a tested and correct script:
$cfg="$env:windir\Temp\secpol.cfg"; $fix="$env:windir\Temp\secpol_fixed.cfg" secedit /export /cfg $cfg $c=[System.Collections.Generic.List[string]](Get-Content $cfg) $i=$c.IndexOf('[Privilege Rights]')+1 $c.Insert($i,'SeNetworkLogonRight = *S-1-5-32-544,*S-1-5-11'); $c|Set-Content $fix secedit /configure /db secedit.sdb /cfg $fix /areas USER_RIGHTSIf RDP access is still not working, also reset the RDP service: Restart-Service TermService -Force
There is no need to restart anything
2.Detach OS Disk & Fix from Another VM If Run Command fails or doesn’t resolve the issue: Stop the VM Detach the OS disk Attach it to a working helper VM Open the disk via Disk Management or Explorer Use tools like OfflineRegistry or load registry hives in regedit to revert: Security policy registry settings (like HKLM\SYSTEM or HKLM\SECURITY) Reattach the disk to the original VM This is more complex and should be done cautiously. 3.Restore the VM from backups.
The rest of the procedure is pointless because it is enough to fix the permissions via script
Microsoft does not provide a public changelog or version history for the Azure Windows Baseline Guest Configuration. The built-in policy definitions are periodically updated, but these updates are not always documented in detail.
Can you do anything to get more details and to give the possibility to allow users to control what is executed by the Azure Windows Baseline Guest Configuration? In its current state, the Azure Windows Baseline Guest Configuration has not been properly tested before the change was released. It was released with a bug that breaks RDP access. This is an unacceptable situation. If changes are not properly tested, immutable versions of the configuration must be delivered that users can use in a controlled manner; otherwise, this functionality cannot be called production-ready
Are you able to connect me with the product team responsible for this feature?
BTW please do not use AI-generated answers because in case of non-general subject, it often gives wrong answers, which makes you and me waste time
-
Ashok Gandhi Kotnana 10,115 Reputation points Microsoft External Staff Moderator
2025-06-24T15:35:17.52+00:00 I have reached out to you in a private message
-
Marcin Słowikowski 10 Reputation points
2025-06-24T15:44:36.5766667+00:00 Why was my comment reported and deleted? I asked if the answer was generated by AI (if so, I asked not to do it again because it saves me and you time, because such answers are often wrong), I highlighted what was wrong in the answer and provided the workaround I found, which may help other users who encounter the same problem
Unfortunately, my time availability is limited, so I prefer text communication. If needed, I can provide an example of how to reproduce the bug if you were unable to reproduce it
-
Erland Sommarskog 121.4K Reputation points MVP Volunteer Moderator2025-06-24T21:04:39.1566667+00:00 Your comment was trapped by the automatic spam filter. Why it did not like you - I don't know. But I have restored your comment. (Since Ashok is a moderator, he can see the message anyway.)
-
Ashok Gandhi Kotnana 10,115 Reputation points Microsoft External Staff Moderator
2025-06-25T07:22:19.2233333+00:00 I can provide an example of how to reproduce the bug if you were unable to reproduce it?
Please share an example so that we will reproduce from our end and update you on this requestThankyou
-
Marcin Słowikowski 10 Reputation points
2025-06-25T14:10:35.8333333+00:00 The VM image is the latest MicrosoftWindowsServer 2022-datacenter-azure-edition. I also tried with e.g. 2022-datacenter-g2 sku and the problem is still there. My VM has system assigned identity enabled
This is how I enabled guest configuration feature:
locals { vm_id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-name/providers/Microsoft.Compute/virtualMachines/vm-name" } resource "azurerm_virtual_machine_extension" "guest_configuration_windows" { name = "AzurePolicyforWindows" publisher = "Microsoft.GuestConfiguration" type = "ConfigurationforWindows" type_handler_version = "1.1" virtual_machine_id = local.vm_id auto_upgrade_minor_version = true automatic_upgrade_enabled = true failure_suppression_enabled = false protected_settings = jsonencode({}) provision_after_extensions = [] settings = jsonencode({}) tags = {} } resource "azapi_resource" "azure_windows_baseline_guest_configuration" { type = "Microsoft.GuestConfiguration/guestConfigurationAssignments@2020-06-25" name = "AzureWindowsBaseline" parent_id = local.vm_id body = { properties = { guestConfiguration = { assignmentType = "ApplyAndMonitor" name = "AzureWindowsBaseline" version = "1.*" configurationParameter = [] configurationSetting = { rebootIfNeeded = false configurationMode = "ApplyAndMonitor" } } } } depends_on = [ azurerm_virtual_machine_extension.guest_configuration_windows ] }Please let me know if you reproduced the problem and if this is a known issue
Sign in to comment
Sign in to answer