What is Windows SSH Posture Control (private preview) with Azure Policy and PowerShell?

SSH Posture Control enables you to use the familiar workflows of Azure Policy and Machine Configuration to:

• Ensure compliance with standards in your industry or organization
• Reduce attack surface of remote management features
• Ensure consistent setup across your fleet for security and productivity

SSH Posture Control also provides detailed Reasons describing how compliance or non-compliance was determined. These Reasons make it easier to take action or to fully document compliance.

SSH Posture Control analyzes and enforces approximately 20 SSH server (sshd) parameters. You can also customize certain parameters to suit your environment. For example, you can customize which users and groups are allowed SSH access as well as the port number and more.

You can deploy SSH Posture Control in either audit, or audit-and-configure mode to audit your fleet of devices, track results, then automatically remediate the fleet to proper sshd standards.

Private preview limitations

Important

SSH Posture Control is in private preview-- intended to trigger dialog between you and Microsoft.

• The preview is intended for use with isolated dev/test machines where any problem (including inadvertently locking yourself out from SSH access) would not have important consequences.
• The preview involves importing the policy definition, rather than choosing it from the Azure Policy built-in list.
• For this we will be providing both the audit, and audit-and-configure workflow.
• Supported Windows SKUs are currently only Windows Server 2025

Getting started with Azure Policy

This example is focused on getting started quickly within Azure Policy. It makes simplifying assumptions and does not explore everything that is possible. For example, it uses default SSH settings from the PolicyDefinition, rather than customizing parameters such as allowed users and groups. More comprehensive information on SSH Posture Control including settings and behaviors is expected in the near future. Note that the PowerShell section is in the section towards the end of the article.

Tip

The following mental model and terminology are used throughout this article.

• PolicyDefinition : SSH Posture Control definition and metadata, as represented in the Azure Policy service.
• PolicyAssignment : Links your SSH Posture Control PolicyDefinition to a scope where that policy should be applied, such as a resource group.
• Machine : An endpoint capable of being managed by Azure Policy and Machine Configuration (aka Guest Configuration). In other words, an Arc enabled machine or an Azure VM.

A. Pre-requisites

1. An Azure account with permission to create a resource group, a VM (or Arc machine), a policy definition and a policy assignment.
2. For additional pre-requisites, choose your preferred experience:

Portal

1. Using a web browser, sign in to Azure Portal or your local equivalent.

PowerShell

1. A PowerShell environment with the following modules installed:
   1. Az.ResourceGraph
   2. Az.Accounts
   3. Az.Resources
2. Use Get-AzContext and/or Set-AzContext cmdlets to ensure the desired Azure environment is targeted.

Tip

Azure Cloud Shell in PowerShell mode is a ready-to-use environment, and is an easy way to get started.

Azure CLI

Not available at this time. Pending https:// github.com/Azure/azure-cli/issues/28377. Please use Portal or PowerShell instructions.

B. Create a resource group

Portal

1. Create a resource group. In upcoming steps this will be used to scope the policy, and to contain a new test machine.

PowerShell

$myResourceGroupName = "ssh_demo_resource_group" 
$myAzureLocation = "eastus" ## Modify as needed

$myResourceGroup = New-AzResourceGroup -Name $myResourceGroupName -Location $myAzureLocation

Azure CLI

Not available at this time. Pending https://github.com/Azure/azure-cli/issues/28377. Please use Portal or PowerShell instructions.

C. Create the PolicyDefinition

Note

This extra step (creating rather than just choosing the PolicyDefinition) is required during the private preview.

Portal

1. Navigate to the Azure Policy Overview page. For example, you could use the URI: https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Overview.
2. Navigate to the Definitions view.
3. Click the + Policy Definition button to create a new PolicyDefinition, entering the following as inputs.
   1. Definition location: Choose your Azure subscription where the PolicyDefinition will live.
   2. Name: [Preview] Audit SSH Posture Control policy or [Preview] Configure SSH Posture Control policy
   3. Category: Use Existing, then choose Guest Configuration
   4. Policy rule: Delete the pre-existing JSON, and paste the PolicyDefinition JSON from Preview audit SSH Posture Control policy definition or Preview audit-and-configure SSH Posture Control policy definition
4. Click Save

PowerShell

audit-Only Policy:

$sshPolicyDefinitionJsonUri = "https://github.com/microsoft/osconfig/releases/download/ppe-ssh/SecureShell_Preview_AuditIfNotExists.json"
$localFilePath = "AuditSSHPolicy.json"
Invoke-WebRequest -Uri $sshPolicyDefinitionJsonUri -OutFile $localFilePath
$sshPolicyDefinitionJson = Get-Content $localFilePath -Raw
$sshPolicyDefinitionName = "[Preview] Audit SSH Posture Control policy"

$sshPolicyDefinition = New-AzPolicyDefinition -Name $sshPolicyDefinitionName -Policy $sshPolicyDefinitionJson

audit-and-configure Policy:

$sshPolicyDefinitionJsonUri = "https://github.com/microsoft/osconfig/releases/download/ppe-ssh/SetSecureShell_Preview_DeployIfNotExists.json"
$localFilePath = "ConfigureSSHPolicy.json"
Invoke-WebRequest -Uri $sshPolicyDefinitionJsonUri -OutFile $localFilePath
$sshPolicyDefinitionJson = Get-Content $localFilePath -Raw
$sshPolicyDefinitionName = "[Preview] Configure SSH Posture Control policy"

$sshPolicyDefinition = New-AzPolicyDefinition -Name $sshPolicyDefinitionName -Policy $sshPolicyDefinitionJson

Azure CLI

Not available at this time. Pending https://github.com/Azure/azure-cli/issues/28377. Please use Portal or PowerShell instructions.

D. Use a PolicyAssignment to apply the PolicyDefinition to your resource group

Caution

This policy modifies sshd configuration on in-scope machines. These instructions have you assigning it to an initially empty resource group, where you will later create a test machine. Take great care if you choose to assign to any broader scope.

Portal

1. Navigate to the Policy | Definitions page which lists all available policy definitions.
2. Select the [Preview] SSH Posture Control policy PolicyDefinition you created earlier
3. Click Assign.
4. For Scope choose the resource group where you will later create a new test machine.
5. Proceed to the Parameters tab.
   1. Choose "true" for Include Arc connected machines, unless you specifically want to exclude Arc connected machines.
   2. NOTE: If you want to customize SSH settings, such as allowed groups, uncheck the Only show parameters... box to reveal all of the available parameters. If you do choose to specify allowed or denied users or groups, please be aware that you would enter a space delimited string, for example userA userB.
6. Proceed to the Remediation tab.
   1. NOTE: Although this demo focuses on a new machine, in other scenarios where you want the PolicyAssignment to apply to existing machines you can check the box for Create a remediation task.
   2. Choose Create a Managed Identity with System assigned and an identity location of your choice.
7. Proceed to Review + create
   1. Choose Create to complete the PolicyAssignment.

PowerShell

audit-Only Policy:

$myResourceGroupName = "ssh_demo_resource_group"
$myAzureLocation = "eastus"
$sshPolicyDefinitionName = "[Preview] Audit SSH Posture Control policy"
$sshPolicyAssignmentName = "[Preview] Audit SSH Posture Control assignment"

$myResourceGroup = Get-AzResourceGroup -Name $myResourceGroupName
$sshPolicyDefinition = Get-AzPolicyDefinition -Name $sshPolicyDefinitionName

## Assign our new SSH policy to the resource group
$sshPolicyAssignment = New-AzPolicyAssignment -Name $sshPolicyAssignmentName -PolicyDefinition $sshPolicyDefinition -Scope $myResourceGroup.ResourceId -Location $myAzureLocation -IdentityType SystemAssigned

audit-and-configure Policy:

$myResourceGroupName = "ssh_demo_resource_group"
$myAzureLocation = "eastus"
$sshPolicyDefinitionName = "[Preview] Configure SSH Posture Control policy"
$sshPolicyAssignmentName = "[Preview] Configure SSH Posture Control assignment"

$myResourceGroup = Get-AzResourceGroup -Name $myResourceGroupName
$sshPolicyDefinition = Get-AzPolicyDefinition -Name $sshPolicyDefinitionName

## Assign our new SSH policy to the resource group
$sshPolicyAssignment = New-AzPolicyAssignment -Name $sshPolicyAssignmentName -PolicyDefinition $sshPolicyDefinition -Scope $myResourceGroup.ResourceId -Location $myAzureLocation -IdentityType SystemAssigned

Azure CLI

Not available at this time. Pending https://github.com/Azure/azure-cli/issues/28377. Please use Portal or PowerShell instructions.

E. Create a new machine

Although new PolicyAssignments can apply to existing machines, the process can take up to a 24 hours. For this quick-start we will focus on evaluating a new machine. In this example we will create an Azure VM, but you could create an Arc enabled machine if you prefer.

Portal

1. Navigate to the Azure Virtual Machines experience.
2. Create a new VM, ensuring the following properties:
   1. Subscription and Resource Group should match where the PolicyAssignment was scoped.
   2. Image should be "Windows Server 2025".
   3. VM architecture should be x64.
   4. Other properties such as VM name, size, etc. can be whatever you prefer.
3. Wait for the VM creation to complete, and then click Go to Resource to reach the machine overview page
4. In the left-hand navigation, select Identity and ensure that the machine has a system managed identity
5. In the left-hand navigation, select Extensions + applications, then + Add
6. Choose the Azure Machine Configuration extension for Windows extension and select Next
7. Select Review + create, then create

PowerShell

$myResourceGroupName = "ssh_demo_resource_group"
$myNameForNewVM = "sshdemovm01"

## Creates a new VM which is prepped to work with MachineConfiguration
## by having a system assigned identity and the GuestConfiguration extension
New-AzVM -Name $myNameForNewVM -ResourceGroupName $myResourceGroupName -SystemAssignedIdentity -Image "MicrosoftWindowsServer:WindowsServer:2025-datacenter:latest"
Set-AzVMExtension -ResourceGroupName $myResourceGroupName -VMName $myNameForNewVM -ExtensionType "ConfigurationforWindows" -Publisher "Microsoft.GuestConfiguration" -Name "AzurePolicyforWindows" -TypeHandlerVersion 1.0

Azure CLI

Not available at this time. Pending https://github.com/Azure/azure-cli/issues/28377. Please use Portal or PowerShell instructions.

F. Take a break before proceeding

When new PolicyDefinitions, PolicyAssignments, and machines are involved, it can take several minutes for everything to reach steady-state. Consider waiting at least 30 minutes before proceeding to the next step.

G. Observe compliance results

The following steps enable you to see a compliance rollup at different altitudes:

• Compliance by PolicyAssignment
  • Number of machines compliant and non-compliant
  • Highest altitude, especially useful for large fleets
• Compliance by machine
  • List of machines with yes/no per machine
• Compliance by setting, for a specific machine
  • Deepest level of detail, like the screenshot at the top of this article.

Tip

Your new machine will likely be judged as non-compliant when it encounters the policy for the first time. The default SSH settings in the policy are more strict than what many OS images have configured by default. After an additional 20 minutes or so, you should find that your machine becomes compliant thanks to the remediation logic built-in to SSH Posture Control.

Portal

1. Navigate to the Policy | Compliance page.
2. Select [Preview] SSH Posture Control policy.
3. Observe that the number of compliant / non-compliant machines is reported
4. Under Resource Compliance you can see the status for individual machines
5. To drill down to the setting-by-setting details for a specific machine:
   1. Click the ... next to a machine, and choose View resource to reach the machine's Overview page
   2. In the left hand navigation under Operations, click Configuration management (not Configuration under Settings)
   3. Click SecureShell
   4. The resulting page shows each setting in the configuration with details about compliance as well as how compliance was determined.

PowerShell

To observe status at the highest altitude (just machine counts), you can use the following:

$machineCountsQuery = @'
guestconfigurationresources
| where name contains "SecureShell"
| extend complianceStatus = tostring(properties.complianceStatus)
| summarize machineCount = count() by complianceStatus
'@

Search-AzGraph -Query $machineCountsQuery

<#
Sample output from an environment with two machines:

complianceStatus machineCount
---------------- ------------
Pending                     1
Compliant                   1
#>

To see a compliance by machine, you can use the following:

$machinePerRowQuery = @'
guestconfigurationresources
| where name contains "SecureShell"
| project 
    machine = split(properties.targetResourceId,'/')[-1],
    complianceStatus = properties.complianceStatus,
    lastComplianceStatusChecked = properties.lastComplianceStatusChecked
'@

Search-AzGraph -Query $machinePerRowQuery

<#
Sample output:

machine     complianceStatus lastComplianceStatusChecked
-------     ---------------- ---------------------------
sshdemovm01 Compliant        2/15/2024 11:07:21 PM
sshdemovm02 Pending          1/1/0001 12:00:00 AM
#>

To see the setting-by-setting details, you can use the following:

$settingPerRowQuery = @'
guestconfigurationresources
| where name contains "SecureShell"
| extend machine = split(properties.targetResourceId,'/')[-1]
| mvexpand properties.latestAssignmentReport.resources
| mvexpand properties_latestAssignmentReport_resources.reasons
| project machine,
    complianceCheck = tostring(properties_latestAssignmentReport_resources.resourceId),
    complianceStatus = tostring(properties.complianceStatus),
    complianceReason = tostring(properties_latestAssignmentReport_resources_reasons.phrase)
'@

Search-AzGraph $settingPerRowQuery

<#
   Sample output:
   
   machine     complianceCheck                                                  complianceStatus     complianceReason
   -------     ---------------                                                  ------               ------
   sshdemovm01 Ensure that the allowed groups for SSH are configured            Compliant            ["administrators","openssh users"] contains the expected values: ["administrators","openssh users"]
   sshdemovm01 Ensure that appropriate ciphers are used for SSH                 Compliant            ["aes128-ctr","aes192-ctr","aes256-ctr"] contains the expected values: ["aes128-ctr","aes192-ctr","aes256-ctr"]
   sshdemovm01 Ensure that the authorized key file for SSH is configured        Compliant            "%programdata%/ssh/administrators_authorized_keys" is equal to "%programdata%/ssh/administrators_authorized_keys"
   sshdemovm01 Ensure that the SSH ClientAliveInterval is configured            Compliant            3600 is equal to 3600
   sshdemovm01 Ensure that the SSH PermitEmptyPasswords is configured           Compliant            false is equal to false
   sshdemovm01 Ensure that the SSH port is configured                           Compliant            22 is equal to 22
   sshdemovm01 Ensure that the SSH MaxAuthTries is configured                   Compliant            6 is equal to 6
   sshdemovm01 Ensure that only approved MAC algorithms are used                Compliant            ["hmac-sha2-256"] contains the expected values: ["hmac-sha2-256"]
   sshdemovm01 Ensure that the SSH HostKey is configured                        Compliant            "__PROGRAMDATA__/ssh/ssh_host_ecdsa_key" is equal to "__PROGRAMDATA__/ssh/ssh_host_ecdsa_key"
   sshdemovm01 Ensure that the SSH LoginGraceTime is configured                 Compliant            60 is equal to 60
   #>

Azure CLI

Not available at this time. Pending https://github.com/Azure/azure-cli/issues/28377. Please use Portal or PowerShell instructions.

Getting started with the Local Experience (PowerShell)

Prerequisites

• You must be running a production-signed Windows Server 2025 build on your device.
• The OSConfig PowerShell module must be installed on your server device. See Install the OSConfig PowerShell module for details.
• You must have sshd service installed and running following this guide: https://aka.ms/windows-openssh-install.

To apply a baseline, verify that the baseline is applied, remove a baseline, or view detailed compliance information for OSConfig in PowerShell, use the commands on the following tabs.

Configure

To apply the SSH scenario, run the following command:

Set-OSConfigDesiredConfiguration -Scenario SSH -Default

Verify

To verify that the SSH scenario is properly applied, run the following command:

Get-OSConfigDesiredConfiguration -Scenario SSH

Check compliance

To obtain the desired configuration details for the specified scenario, use the following commands. The output appears in a table format that includes the name of the configuration item, its compliance status, and the reason for noncompliance.

To check the compliance details for SSH scenairo, run the following command:

Get-OSConfigDesiredConfiguration -Scenario SSH | ft Name, @{ Name = "Status"; Expression={$_.Compliance.Status} }, @{ Name = "Reason"; Expression={$_.Compliance.Reason} } -AutoSize -Wrap

Custom Configuration

To custom the setting in SSH scenario, you can configure a setting with parameter '-Name' and '-Value':

Set-OSConfigDesiredConfiguration -Scenario SSH -Name Banner -Value "Custom Banner"

---

Next step

Contact the team at Microsoft to provide feedback, features requests, etc.

Contact Us