"Audit Windows machines on which the specified services are not installed and 'Running'" Policy not working

Question

Hi All,

I have duplicated a builtin policy i.e. "Audit Windows machines on which the specified services are not installed and 'Running'". I am trying audit my azure VMs for sysmon64 service. I have given the parameter as 'sysmon64'. But the policy is showing as non-compliant for all resources, irrespective of whether the service is present or not.

In comliance, it shows non-comliance reason as "No related resources match the effect details in the policy definition. (Error code: NoComplianceReport)".

I have tried changing the policy mode to All, tried with different service, different assignment, but the result is same.

Can someone help me here please?

Answer 1

Hi @Shinde, Balaji

For the ServiceName parameter of this policy try passing in the parameter value of "Sysmon64". As perhaps case-sensitivity is an issue.

Relating to Guest Configuration policies, there are some prerequisites that may be applicable to your use case. You can see these prerequisities here https://aka.ms/gcpol

I checked this particular builtin policy and found this note in the description about about non-compliance:

Machines are non-compliant if result of the Windows PowerShell command Get-Service do not include the service name with matching status as specified by the policy parameter.

Hope this helps

Answer 2

Hi,
I'm getting the same error for a different service. I have matched the case as well. Did you find a solution to your problem?

Thanks in advance.