guest configuration dsc resource

Danse, BJ (Bart) 1 Reputation point

I am currently investigating the guest configuration preview within our environment. Scoped to only security baseline monitoring and remediation. My goal is to try to use as much default policies as possible and prevent creating of custom packages. From what I can find current guest configuration policies are only meant for auditing. Which means I would require custom packages..

Creating a custom package of our baseline would end up in a package per OS and requiring policy filtering on different OS images to apply the correct policy. Not really manageable in my opinion.

Doing some digging. I found a script on git : link. With the following line :
Start-GuestConfigurationPackageRemediation -Path ''

This package contains a AzureWindowBaseline resource with compiled mof. I think it is also used by a preview policy definition. “[Preview]: Windows machines should meet requirements of the Azure compute security baseline”. The policy seems only limited to auditing. But the big plus I see in the mof is the ability to filter each settings to one of more operating systems and or role types. With that I would only have a single policy to apply to all vm’s.


  1. Is/Will AzureWindowsBaseline (AzureOSBaseline) Dsc resource be publicly available. So additional settings could be set in a similar way. If not maybe propose additional attributes to AuditPolicyDSC, SecuretyPolicyDsc. Not sure what to do with registry settings..
  2. Will overriding settings be a capability for the default policies. (Is yes, what is the ETA?) Needed to accommodate exceptions via alternate assignment and overriding defaults
Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
605 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Danse, BJ (Bart) 1 Reputation point

    @Michael Greene could you help with this?

    0 comments No comments

  2. Michael Greene 21 Reputation points Microsoft Employee

    I am working on a quickstart template to make the example easier. The following docs page includes a reference.

    As you noticed, the Windows baseline package is capable of applying settings. We have not made it a built-in DINE policy yet. Just fyi, the Linux baseline package is not yet able to apply settings.