Share via

Default parameters missing when assigning CIS Controls v8.1 imitative

Martin Fitzsimons 0 Reputation points
2025-11-13T16:08:53.8266667+00:00

After assigning and setting the default parameters of the CIS Controls v8.1 to an Azure Arc VM, there are a few policies that remain non-compliant. One of these is the "Create symbolic links" item, which appears under the Machine Configuration section of "AzureBaseline_UserRightsAssignment". However, in the default parameters of CIS controls v8.1, there is no entry to tweak. The reason for the non-compliance is: Expected: Administrators | Actual: Administrators,*S-1-5-83-0 | Operator: EQUALS. I'd like to be able to include the *S-1-5-83-0, which, according to the CIS websit,e is permitted (and potentially should already be a default)

Azure Policy
Azure Policy

An Azure service that is used to implement corporate governance and standards at scale for Azure resources.

0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Suchitra Suregaunkar 14,595 Reputation points Microsoft External Staff Moderator
    2025-11-14T04:06:50.0566667+00:00

    Hello Martin Fitzsimons

    Thank you for posting your query on Microsoft Q&A platform.

    S‑1‑5‑83‑0 is the well‑known SID for the built‑in group NT VIRTUAL MACHINE\Virtual Machines added by Windows when the Hyper‑V role/features are present. On Hyper‑V systems, this group is purposely granted the Create symbolic links right, so virtual machines operate correctly. Microsoft and STIG guidance explicitly state that having NT VIRTUAL MACHINE\Virtual Machines (S‑1‑5‑83‑0) on Hyper‑V systems is not a finding (i.e., acceptable).

    The reason Azure Policy flags non‑compliance is that the built‑in baseline/initiative compares with “EQUALS” to Administrators only, and its default parameters do not expose a switch to include the extra SID in that rule.

    As a resolution:

    Add a Policy Exemption (fastest, recommended for Hyper‑V hosts):

    1. In Azure Policy → Compliance, open the initiative/policy result for Create symbolic links.
    2. Click Add exemption at the appropriate scope (subscription/resource group/VM).
    3. Justification: “Hyper‑V host—S‑1‑5‑83‑0 (NT VIRTUAL MACHINE\Virtual Machines) is permitted for SeCreateSymbolicLinkPrivilege per Microsoft” This keeps your built‑in assignment intact and prevents false positives. (Exemptions are a supported mechanism in Azure Policy.)

    Customize the Machine Configuration baseline (if you use the new Settings Picker):

    1. Go to Azure Portal → Policy → Machine Configuration → Definitions.
    2. Select your Windows baseline and click Modify settings.
    3. Locate User Rights Assignment → Create symbolic links and adjust expected principals or change the comparison to a membership‑style evaluation that includes NT VIRTUAL MACHINE\Virtual Machines.
    4. Review + download the customized JSON and assign the baseline using the uploaded parameters.

    Reference: https://learn.microsoft.com/en-us/azure/governance/machine-configuration/how-to/assign-security-baselines/deploy-a-baseline-policy-assignment and
    https://learn.microsoft.com/en-us/azure/governance/machine-configuration/how-to/assign-built-in-policies

    If you need any further assistance, please feel free to reach out.

    Thanks,

    Suchitra.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.