Azure Policy machine configuration extension
You can use the Azure Policy machine configuration extension to audit the configuration settings of a virtual machine. Machine configuration supports Azure VMs natively. Physical servers and non-Azure virtual servers are supported with Azure Arc-enabled servers, Azure Arc-enabled VMware vSphere, or Azure Arc-enabled System Center Virtual Machine Manager.
To find the list of machine configuration policies, search for machine configuration on the Azure Policy portal page, or run this cmdlet in a PowerShell window to find the list:
Get-AzPolicySetDefinition | Where-Object {$_.Properties.metadata.category -eq "Machine Configuration"}
Note
Machine configuration functionality is regularly updated to support additional policy sets. Check for new supported policies periodically and evaluate whether they'll be useful.
Deployment
Use the following example PowerShell script to deploy these policies to:
- Verify that password security settings in Windows and Linux computers are set correctly.
- Verify that certificates aren't close to expiration on Windows VMs.
Before you run this script, use the Connect-AzAccount cmdlet to sign in. When you run the script, you must provide the name of the subscription that you want to apply the policies to.
# Assign machine configuration policy.
param (
[Parameter(Mandatory=$true)]
[string] $SubscriptionName
)
$Subscription = Get-AzSubscription -SubscriptionName $SubscriptionName
$scope = "/subscriptions/" + $Subscription.Id
$PasswordPolicy = Get-AzPolicySetDefinition -Name "3fa7cbf5-c0a4-4a59-85a5-cca4d996d5a6"
$CertExpirePolicy = Get-AzPolicySetDefinition -Name "b6f5e05c-0aaa-4337-8dd4-357c399d12ae"
New-AzPolicyAssignment -Name "PasswordPolicy" -DisplayName "[Preview]: Audit that password security settings are set correctly inside Linux and Windows machines" -Scope $scope -PolicySetDefinition $PasswordPolicy -AssignIdentity -Location eastus
New-AzPolicyAssignment -Name "CertExpirePolicy" -DisplayName "[Preview]: Audit that certificates are not expiring on Windows VMs" -Scope $scope -PolicySetDefinition $CertExpirePolicy -AssignIdentity -Location eastus
Next steps
Learn how to enable change tracking and alerting for critical file, service, software, and registry changes.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for